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1. INTRODUCTION 

We present formal specifications of various aspects of the 7r-calculus, including its 
syntax, operational semantics, bisimulation relations, and modal logics. We shall 
do this by using the FOX A ^ logic [Miller and Tiu 2005]. We provide a high-level 
introduction to this logic here before presenting more technical aspects of it in the 
next section. 

Just as it is common to use meta-level application to represent object-level ap- 
plication (for example, the encoding of P + Q is via the meta-level application of 
the encoding for plus to the encoding of its two arguments), we shall use meta-level 
A-abstractions to encode object-level abstractions. The term higher-order abstract 
syntax (HOAS) [Pfenning and Elliott 1988] is commonly used to describe this ap- 
proach to mapping object-level abstractions into some meta-level abstractions. Of 
course, the nature of the resulting encodings varies as one varies the meta-level. 
For example, if the meta-level is a higher-order functional programming language 
or a higher-order type theory, the usual abstraction available constructs function 
spaces. In this case, HOAS maps object-level abstractions to semantically rich 
function spaces: determining whether or not two syntactic objects are equal is then 
mapped to the question of determining if two functions are equal (typically, an un- 
decidable judgment). In such a setting, HOAS is less about syntax and more about 
a particular mathematical denotation of the syntax. In this paper, we start with 
an intuitionistic subset of the Simple Theory of Types [Church 1940] that does not 
contain the mathematical axioms of extensionality, description, choice, and infinity. 
In this setting, A-abstraction is not strong enough to denote general computable 
functions and equality of A-terms is decidablc. As a result, this weaker logic pro- 
vides term-level bindings that can be used to encode syntax with bindings. This 
style of describing syntax via a meta-logic containing a weak form of A-abstraction 
has been called the \-tree syntax [Miller 2000] approach to HOAS in order to distin- 
guish it from the approaches that use function spaces. The A-tree syntax approach 
to encoding expressions is an old one (cf. [Huet and Lang 1978; Miller and Na- 
dathur 1986; 1987; Paulson 1986]) and is used in specifications written in the logic 
programming languages AProlog [Nadathur and Miller 1988] and Twelf [Pfenning 
and Schiirmann 1999]. 

Following Church, we shall use A-abstractions to encode both term-level abstrac- 
tions and formula-level abstractions (e.g., quantifiers). The computational aspects 
of the 7r-calculus are usually specified via structured operational semantics [Plotkin 
1981]: here, such specifications are encoded directly as inference rules and proofs 
over primitive relational judgments (e.g., one-step transitions). As a result, a formal 
account of the interaction of binding in syntax and binding in computation leads to 
notions of proof-level abstractions. One such binding is the familiar eigenvariable 
abstraction of [Gcntzcn 1969] used to encode a universally quantified variable that 
has scope over an entire sequent. A second proof- level binding was introduced in 
[Miller and Tiu 2005] to capture a notion of generic judgment: this proof-level bind- 
ing has a scope over individual entries within a sequent and is closely associated 
with the formula-level binding introduced by the V-quantifier. A major goal of this 
paper is to illustrate how the V-quantifier and this second proof-level abstraction 
can be used to specify and reason about computation: the 7r-calculus has been 
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chosen, in part, because it is a small calculus in which bindings play an important 
role in computation. 

A reading of the truth condition for \7x~/.Bx is something like the following: this 
formula is true if Bx is true for the new element x of type 7. In particular, the 
formula Vx 7 Vy 7 .a; 7^ y is a theorem regardless of the intended interpretation of 
the domain 7 since the bindings for x and y are distinct. In contrast, the truth 
value of the formula \/x~ ( \/y~ ( .x ^ y is dependent on the domain 7: this quantified 
inequality is true if and only if the interpretation of 7 is empty. 

The FOX AV logic is based on intuitionistic logic, a weaker logic than classical 
logic. One of the principles missing from intuitionistic logic is that of the excluded 
middle: that is, A V is not generally provable in intuitionistic logic. Consider, 
for example, the following formula concerning the variable w: 

^X y [x — W ~V X ^ w]. (*) 

In classical logic, this formula is a trivial theorem. From a constructive point-of- 
view, it might not be desirable to admit this formula as a theorem in some cases. 
If the type of quantification 7 is a conventional (closed) first-order datatype, then 
we might expect to have a decision procedure for equality. For example, if 7 is 
the type for lists, then it is a simple matter to construct a procedure that decides 
whether or not two members of 7 are equal by considering the top constructor of 
the list and, in the event of comparing two non-empty lists, making a recursive call 
(assuming a decision procedure is available for the elements of the list). In fact, 
it is possible to prove in an intuitionistic logic augmented with induction (see, for 
example, [Tiu 2004]) the formula (*) for closed, first-order datatypes. 

If the type 7 is not given inductively, as is the usual case for names in intu- 
itionistic formalizations of the 7r-calculus (see [Despeyroux 2000] and below), then 
the corresponding instance of (*) is not provable. Thus, whether or not we allow 
instances of (*) to be assumed can change the nature of a specification. In fact, we 
show in Section 5, that if we add to our specification of open bisimulation [Sangiorgi 
1996] assumptions corresponding to (*), then we get a specification of late bisimu- 
lation. If we were working with a classical logic, such a declarative presentation of 
these two bisimulations would not be so easy to describe. 

The authors first presented the logic used in this paper in [Miller and Tiu 2003] 
and illustrated its usefulness with the 7r-calculus: in particular, the specifications of 
one-step transitions in Figure 2 and of late bisimulation in Figure 3 also appear in 
[Miller and Tiu 2003] but without proof. In this paper, we state the formal prop- 
erties of our specifications, provide a specification of late bisimulation, and provide 
a novel comparison between open and late bisimulation. In particular, we show 
that the difference between open and late bisimulation (apart from the difference 
that arises from the use of types defined inductively or not) can be captured by the 
different quantification of free names using V and V. We show in Section 5 that a 
natural class of name distinctions can be captured by the alternation of V and V 
quantifiers and, in the case where we are interested only in checking open bisim- 
ilarity modulo the empty distinction, the notion of distinction that arises in the 
process of checking bisimilarity is completely subsumed by quantifier alternation. 
In Section 6 we show that "modal logics for mobility" can easily be handled as 
well and present, for the first time, a modal characterization of open bisimulation. 
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Since our focus in this paper is on names, scoping of names, dependency of names, 
and distinction of names, we have chosen to focus on the finite 7r-calculus. The 
treatment of the 7r-calculus with replication is presented in Section 7 through an 
example. In Section 8 we outline the automation of proof search based on these 
specifications: when such automation is applied to our specification of open bisim- 
ulation, a symbolic bisimulation procedures arises. In Section 9 we present some 
related and future work and Section 10 concludes the paper. In order to improve 
the readability of the main part of the paper, numerous technical proofs have been 
moved to the appendices. 

Parts of this paper, in their preliminary forms and without proofs, have been 
presented in [Tiu and Miller 2004; Tiu 2005]: in particular, the material on encoding 
bisimulations (Section 5) corresponds to [Tiu and Miller 2004] and the material on 
encoding modal logics for the 7r-calculus (Section 6) corresponds to [Tiu 2005]. 

2. OVERVIEW OF THE LOGIC 

This paper is about the use of a certain logic to specify and reason about compu- 
tation. We shall assume that the reader is not interested in an in-depth analysis 
of the logic but with its application. We state the most relevant results we shall 
need about this logic in order to reason about our 7r-calculus specifications. The 
reader who is interested in more details about this logic is referred to [Tiu 2004] 
and [Miller and Tiu 2005]. 

At the core of the logic FOX AV (pronounced "fold-nabla" ) is a first-order logic 
for A-terms (hence, the prefix FOX) that is the result of extending Gentzen's LJ 
sequent calculus for first-order intuitionistic logic [Gentzen 1969] with simply typed 
A-terms and with quantifiers that range over non-predicate types. The full logic is 
the result of making two extensions to this core. First, "fixed points" are added 
via the technical device of "definitions," presented below and marked with the 
symbol =. Fixed points can capture important forms of "must behavior" in the 
treatment of operational semantics [McDowell and Miller 2000; McDowell et al. 
2003]. Fixed points also strengthen negation to encompass "negation-as-finitc- 
failure." In the presence of this stronger negation, the usual treatment of A-tree 
syntax via "generic judgments" encoded as universal quantifiers is inadequate: a 
more intensional treatment of such judgments is provided by the addition of the 
V-quantifier [Miller and Tiu 2005]. 

A sequent is an expression of the form B\, . . . , B n *- Bo where Bq, . . . , B n arc 
formulas and the elongated turnstile •- is the sequent arrow. To the left of the 
turnstile is a multiset: thus repeated occurrences of a formula are allowed. If the 
formulas B , ■ ■ ■ ,B n contain free variables, they are considered universally quan- 
tified outside the sequent, in the sense that if the above sequent is provable then 
every instance of it is also provable. In proof theoretical terms, such free variables 
are called eigenvariables. 

A first attempt at using sequent calculus to capture judgments about the tt- 
calculus could be to use eigenvariables to encode names in the 7r-calculus, but this 
is certainly problematic. For example, if we have a proof of the sequent i- Pxy, 
where x and y are different eigenvariables, then logic dictates that the sequent 
i- Pzz is also provable (given the universal quantifier reading of eigenvariables) . If 
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the judgment P is about, say, bisimulation, then it is not likely that a statement 
about bisimulation involving two different names x and y remains true if they are 
identified to the same name z. 

To address this problem, the logic FOX AV extends sequents with a new notion 
of "local scope" for proof-level bound variables (originally motivated in [Miller and 
Tiu 2003] to encode "generic judgments" ). In particular, sequents in FOA AV are 
of the form 

S ; a\ > Bi, a n > B n t- ao > B 

where £ is a global signature, i.e., the set of eigenvariables whose scope is over the 
entire sequent, and Oi is a local signature, i.e., a list of variables scoped over Bi. 
We shall consider sequents to be binding structures in the sense that the signa- 
tures, both the global and local ones, are abstractions over their respective scopes. 
The variables in £ and <7j will admit a-conversion by systematically changing the 
names of variables in signatures as well as those in their scope, following the usual 
convention of the A-calculus. The meaning of eigenvariables is as before except 
that now instantiation of eigenvariables has to be capture-avoiding with respect to 
the local signatures. The variables in local signatures act as locally scoped generic 
constants: that is, they do not vary in proofs since they will not be instantiated. 
The expression a > B is called a generic judgment or simply a judgment. We use 
script letters A, B, etc to denote judgments. We write simply B instead of a > B 
if the signature a is empty. We shall often write the list a as a string of variables: 
e.g., a judgment {xi, x 2 , X3) > B will be written as X\X 2 x^ > B. If the list Xi,x 2 ,x^ 
is known from context we shall also abbreviate the judgment as x > B. 

Following Church [1940], the type o is used to denote the type of formulas. The 
propositional constants of FOX AV are A (conjunction), V (disjunction), D (impli- 
cation), T (true) and _L (false). We shall abbreviate B D _L as -^B (intuitionistic 
negation). Syntactically, logical constants can be seen as typed constants: for ex- 
ample, the binary connectives have type o — > o — > o. For each simple type 7 that 
does not contain o, there are three quantifiers in FOX A ^: namely, V 7 (universal 
quantifier), 3 7 (existential quantifier), V 7 (nabla), each one of type (7^0)^ o. 
The subscript type 7 is often dropped when it can be inferred from context or 
its value is not important. Since we do not allow quantification over predicates, 
this logic is proof-theoretically similar to first-order logic. The inference rules for 
FOA AV that do not deal with definitions are given in Figure 1. 

During the search for proofs (reading rules bottom up) , inference rules for V and 
3 quantifier place new variables (eigenvariables) into the global signature while the 
inference rules for V place new variables into a local signature. In the VIZ and 
3£ rules, raising [Miller 1992] is used when replacing the bound variable x (which 
can be substituted for by terms containing variables in both the global signature 
and the local signature a) with the variable h (which can only be instantiated with 
terms containing variables in the global signature) . In order not to miss substitution 
terms, the variable x is replaced by the term {hx\ . . . x n ): the latter expression is 
written simply as {ha) where a is the list x\, . . . ,x n . As is usual, the eigenvariable 
h must not be free in the lower sequent of these rules. In V£ and 31Z, the term 
t can have free variables from both £ and a, a fact that is given by the typing 
judgment S, a h t : t. The V£ and VTZ rules have the proviso that y is not free 
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E; A .- B E; B,T i- C 
init ^ — t— ^ -; cut 



T,; a\> B,F crt> B S; A,Ti~C 

E ; cr > B, at>C, F V E ; T ■- cr [> B E ; T i- cr c> C 

ot> B f\C,T i- V AC E; f ^- crt>B AC Ali 

E; cro B,F ■- V a>C,F t-V E ; T cr [> B 

s ;CT >Bvc,ri-r> v£ S; r ^ o->bvc v7? ' 

S; r i- ct>C 



S;o->±,ri-B S;Ti-(Tt>BVC 

SiTHtr^B E ; c > C, T V E ; cr t> B, Ti-croC 

— : : : ~) C — ■ ■ ~> TZ 

S;ff>BDC,r^D Y:;F^a>BDC 

E,<jr-t:7 E; (7>B[t/x],r i-C S, ft ; T cr > B[(/i <r)/x] 

E; trt>V 7 x.B,r ■- C ^ C E ; T ■- croVx.B V7Z 

E,/i; (7>B\(h a)/x],T i- C E,crhf.:7 E ; T ■- cr > B[t/xl 

— ' 3C ■ L! — - 3TZ 

E ; cr r> Bx.B, T ■- C E ; T ■- cr > 3-,x.B 

S; ( ff ,y)^b/4rHC S ; F - (cr, y) > B[y/x] 

E ; cr > Vi B, T i- C E ; T h- cr > Vx B 

E;B,B,ri-C E;Ti-C 
E ; B, T ■- C C£ S; S,T i-C w£ E ; F a > T T7 ^ 

Fig. 1. The inference rules of BOA AV not dealing with definitions. 

in Va; B. The introduction rules for propositional connectives are the standard 
ones for intuitionistic logic. Reading the rules top down, the structural rule cC 
(contraction) allows removal of duplicate judgments from the sequent and the rule 
wC (weakening) allows introduction of a (possibly new) judgment into the sequent. 
Note that since the initial rule init has implicit weakening, the weakening rule wC 
can actually be shown admissible, hence it is strictly speaking not necessary. It 
is, however, convenient for interactive proof search, since it allows one to remove 
irrelevant formulae (reading the rule bottom up) in a sequent. 

While sequent calculus introduction rules generally only introduce logical connec- 
tives, the full logic i 7 'OA AV additionally allows introduction of atomic judgments; 
that is, judgments which do not contain any occurrences of logical constants. To 
each atomic judgment, A, we associate a defining judgment, B, the definition of 
A. The introduction rule for the judgment A is in effect done by replacing A 
with B during proof search. This notion of definitions is an extension of work by 
Schroeder-Heister [1993], Eriksson [1991], Girard [1992], Stark [1994], and McDow- 
ell and Miller [2000] . These inference rules for definitions allow for modest reasoning 
about the fixed points of (recursive) definitions. 

Definition 1. A definition clause is written Mx[pt = B], where p is a predicate 
constant, every free variable of the formula B is also free in at least one term in the 
list t of terms, and all variables free in pt are contained in the list x of variables. 
The atomic formula p t is called the head of the clause, and the formula B is called 
the body. The symbol = is used simply to indicate a definitional clause: it is not a 
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logical connective. 

Let V Tl a;i . . .y Tn x n .H = B be a definition clause. Let yi,...,y m be a list of 
variables of types cui, . . . , a TO , respectively. The raised definition clause of with 
respect to the signature {yi : ai, . . . ,y m : a m } is defined as 

Vh 1 ...Vh n .y>H6 = y>B6 

where 8 is the substitution [(hi y)/xi,. . . , (h n y)/x n ] and hi is of type cti — > . . . — > 
am — > 7», for every i e {1, . . . , n}. A definition is a set of definition clauses together 
with their raised clauses. 

Recall that we use script letters, such as B, TC, etc., to refer to generic judgments. 
In particular, in referring to a raised definition clause, e.g., 

Vh 1 ...Vh n .y>He = y>B6 

we shall sometimes simply write H = B when the local signatures can be inferred 
from context or are unimportant to the discussion. 

To guarantee the consistency (and cut-elimination) of the logic FOX A v , we need 
some kind of stratification of definition so as to avoid a situation where a definition 
of a predicate depends negatively on itself. For this purpose, we associate to each 
predicate p a natural number lvl(p), the level of p. The notion of level is generalized 
to formulas as follows. 

Definition 2. Given a formula B, its level lvl(-B) is defined as follows: 

(1) lvl(pt) = lvl(p) 

(2) lvl(_L) = lvl(T) = 

(3) lvl(B A C) = \v\(B V C) = max(lvl(B), lvl(C)) 

(4) M(B DC) = max(lvl(B) + 1, lvl(C)) 

(5) M(Vx.B) = lvl(Vx.B) = M(3x.B) = M(B). 

We shall require that for every definition clause Vx[pt = B], lvl(£>) < \vl(p). 

Note that the stratification condition above implies that in a stratified definition, 
say Vx[pt = B], the predicate p can only occur strictly positively in B (if it occurs 
at all). All definitions considered in this paper can be easily stratified according 
to the above definition and cut-elimination holds for the logic using them. For the 
latter, we refer the reader to [Miller and Tiu 2005] for the full details. 

The introduction rules for a defined judgment are as follows. When applying the 
introduction rules, we shall omit the outer quantifiers in a definition clause and 
assume implicitly that the free variables in the definition clause are distinct from 
other variables in the sequent. 

{£(? ; B6,T6 i- CO \ e CSU(A, H) for some raised clause H = B} 



' £■>: 

def£ 



Z;T^B6 

dcflZ, where Tt — B is a raised definition clause and HO = A 



S; r i- A 

In the above rules, we apply substitution to judgments. The result of applying a 
substitution 9 to a generic judgment x\ , . . . , x n > B, written as (xi , . . . , x n > B)9, is 
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j/i, ... , y n >B', if (Xxi . . . Xx n .B)0 is equal (modulo A-conversion) to Ayi . . . \y n .B' . 
If r is a multiset of generic judgments, then TO is the multiset {J9 \ J e T}. In 
the defC rule, we use the notion of complete set of unifiers (CSU) [Huet 1975]. We 
denote by CSU(A,H) the complete set of unifiers for the pair (A,H): that is, for 
any substitution 9 such that AO = HO, there is a substitution p 6 CSU ( A, TL) such 
that 9 = p o 9' for some substitution 9' . In all the applications of defC in this 
paper, the set CSU(A,H) is either empty (the two judgments are not unifiablc) 
or contains a single substitution denoting the most general unifier. The signature 
"SO in defC denotes a signature obtained from £ by removing the variables in the 
domain of 9 and adding the variables in the range of 0. In the defC rule, reading 
the rule bottom-up, eigenvariables can be instantiated in the premise, while in the 
deflZ rule, eigenvariables are not instantiated. The set that is the premise of the 
defC rule means that that rule instance has a premise for every member of that set: 
if that set is empty, then the premise is proved. 

Equality for terms can be defined in FOX AV using the single definition clause 
[Va;. x = x = T]. Specializing the defC and deflZ rules to equality yields the 
inference rules 

{£(9 ; TO i- C9 | 9 G CSU(Xy.s, Xy.t)} 

Y,; y> s = t, r h C T,; Tt-y>t = t 

Discquality s ^ t, the negation of equality, is an abbreviation for (s = t) D _L. 

One might find the following analogy with logic programming helpful: if a defi- 
nition is viewed as a logic program, then the def7?. rule captures backchaining and 
the defC rule corresponds to case analysis on all possible ways an atomic judgment 
could be proved. In the case where the program has only finitely many computa- 
tion paths, we can effectively encode negation- as- failure using defC [Hallnas and 
Schrocder-Heister 1991]. 

3. SOME META-THEORY OF THE LOGIC 

Once we have written a computational specification as logical formulas, it is impor- 
tant that the underlying logic has formal properties that allow us to reason about 
that specification. In this section, we list a few formal properties of FOX AV that 
will be used later in this paper. 

Cut-elimination for FOX AV [Miller and Tiu 2005; Tiu 2004] is probably the single 
most important meta-theoretic property needed. Beside guaranteeing the consis- 
tency of the logic, it also provides completeness for cut-free proofs: these proofs 
are used to help prove the adequacy of a logical specification. For example, the 
proof that a certain specification actually encodes the one-step transition relation 
or the bisimulation relation starts by examining the highly restricted structure of 
cut-free proofs. Also, cut-elimination allows use of modus ponens and substitutions 
into cut-free proofs and to be assured that another cut-free proof arises from that 
operation. 

Another important structural property of provability is the invertibility of infer- 
ence rules. An inference rule of logic is invertible if the provability of the conclusion 
implies the provability of the premisc(s) of the rule. The following rules in FOA AV 
are invertible: ATI, AC, V£, D 11, VIZ, 3£, defC (see [Tiu 2004] for a proof). Knowing 
the invertibility of a rule can be useful in determining some structure of a proof. 
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For example, if we know that a sequent A V B, V t- C is provable, then by the 
invertibility of V£, we know that it must be the case that A,T t- C and B,Y *- C 
are provable. 

We now present several meta-theoretic properties of provability that are specif- 
ically targeted at the V-quantifier. These properties are useful when proving the 
adequacy of our specifications of bisimulation and modal logic in the following sec- 
tions. These properties also provide some insights into the differences between the 
universal and the V quantifiers. The proofs of the propositions listed in this section 
can be found in [Tiu 2004]. 

Throughout the paper, we shall use the following notation for provability: We 
shall write h S ; Y t- C to denote the fact the sequent £ ; V *- C is provable, and 
h B to denote provability of the sequent . ; . *- B. 

The following proposition states that the global scope of an eigenvariable can be 
weakened to be a locally scoped variable when there are no assumptions. 

Proposition 3. If\- VxB then h VxB. 

Notice that the implication \/ T xB D \7 T xB does not necessarily hold. For exam- 
ple, if the type r is empty, then \/ T xB may be true vacuously, independently of the 
structure of B, whereas attempting to prove VxB reduces to attempting to prove 
B given the fresh element x of type r. 

As we suggested in Section 1 with the formula Vx 7 Vy 7 .a; ^ y, the converse of 
Proposition 3 is not true in general. That converse does hold, however, if we use 
definitions and formulas that do not contain implications and, consequently, do not 
contain negations (since these are formally defined as implications). Horn clauses 
provide an interesting fragment of logic that does not contain negations: in that 
setting, the distinction between V and V cannot be observed using the proof system. 
More precisely, let hc vv -formulas (for Horn clauses formulas with V and V) be a 
formulas that do not contain occurrences of the logical constant D (implication). 
A hc vv -dcfinition is a definition whose bodies arc hc vv -formulas. For example, 
the definition of the one-step transition in Figure 2 is an hc vv -definition but the 
definition of bisimulation in Figure 3 is not a hc vv -definition. 

PROPOSITION 4. LetV be a hc vv -definition andMxG be a hc vv -formula. Then, 
assuming V is the only definition used, VxG is provable if and only if VxG is 
provable. 

The above proposition highlights the fact that positive occurrences of V are 
interchangeable with V. The specification of the operational semantics of the ir- 
calculus in the next section uses only positive occurences of V, hence its specification 
can be done also in a logic without V. However, our specifications of bisimulation 
and modal logics in the subsequent sections make use of implications in definitions 
and, as a result, V cannot be replaced with V. We shall come back to this discussion 
on the distinction between V and V when we present the specification of bisimulation 
in Section 5. 

Finally, we state a technical result about proofs in FOX AV that states that 
provability of a sequent is not affected by the application of substitutions. 

Proposition 5. Let U be a proof o/£; T t- C. Then for any substitution 8, 
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there exists a proof II' of T,6 ; T6 i- CO such that the height of proof of II' is less 
than or equal to the height ofH. 

4. LOGICAL SPECIFICATION OF ONE-STEP TRANSITION 

The finite 7r-calculus is the fragment of the 7r-calculus without recursion (or repli- 
cation). In particular, process expressions are defined as 

P::=0 | xy.P | x(y).P | r.P | (x)P | [x = y]P | P|P | P + P. 

We use the symbols P, Q, R, S, T to denote processes and lower case letters, e.g., 
a, b, c, d, x, y, z to denote names. The occurrence of y in the processes x(y).P and 
(y)P is a binding occurrence with P as its scope. The set of free names in P is 
denoted by fn(P), the set of bound names is denoted by bn(P). We write n(P) for 
the set fn(P) U bn(P). We consider processes to be equivalent if they are identical 
up to a renaming of bound variables. 

The relation of one-step (late) transition [Milner et al. 1992] for the 7r-calculus 

a 

is denoted by P ► Q, where P and Q are processes and a is an action. The kinds 

of actions are the silent action t, the free input action xy, the free output action 
xy, the bound input action x(y), and the bound output action x{y). The name y 
in x(y) and x(y) is a binding occurrence. Just as we did with processes, we use 
fn(a), bn(a) and n(a) to denote free names, bound names, and names in a. An 
action without binding occurrences of names is a free action (this includes the silent 
action); otherwise it is a bound action. 

Three primitive syntactic categories are used to encode the 7r-calculus into A-tree 
syntax: n for names, p for processes, and a for actions. We do not assume any 
inhabitants of type n: as a consequence, a free name is translated to a variable of 
type n that is either universally or V-quantified, depending on whether we want to 
allow names to be instantiated or not. For instance, when encoding late bisimula- 
tion, free names correspond to V-quantified variables, while when encoding open 
bisimulation, free names correspond to universally quantified variables (Section 5). 
Since the rest of this paper is about the 7T-calculus, the V quantifier will from now 
on only be used at type n. 

There are three constructors for actions: r : a (for the silent action) and the 
two constants j and |, both of type n — > n — > a (for building input and output 
actions, respectively). The free output action xy, is encoded as 1 xy while the 
bound output action x{y) is encoded as Ay (| xy) (or the ^-equivalent term | x). 
The free input action xy, is encoded as j xy while the bound input action x(y) is 
encoded as Ay {[ xy) (or simply [x). Notice that bound input and bound output 
actions have type n — > a instead of a. 

The following are process constructors, where + and | are written as infix: 

: p r : p — > p out : n — > p — > p in : n — > (n — > p) — > p 
+ : p — > p — > p | : p — > p — > p match : n — > n — > p — > p v : (n — > p) — > p 

Notice r is overloaded by being used as a constructor of actions and of processes. 
The one-step transition relation is represented using two predicates: The predicate 

2 

- 1 > - 3 of type p — > a — > p — > o, where the first argument (indicated with • 1 ) is 

of type p, the second argument is of type a, and the third argument is of type p, 
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encodes transitions involving the free actions while the predicate - 1 1 - 3 of type 

p — > (n — > a) — > (n — > p) — > o encodes transitions involving bound values. The 
precise translation of the 7r-calculus syntax into simply typed A-terms is given in the 
following definition. We assume that names in 7r-calculus processes are translated 
to variables (of the same names) in the meta logic. 

Definition 6. The following function [.] translates process expressions to (3rj- 
long normal terms of type p. 

[0]=0 [P + Q] = [P] + [Q] [P|Q] = [P] I M [r.P]=r[P] 
[[a; = y]P] = match x y [P] {xy.P} = out x y [P] 

lx(y). P] = in x Xy. [Pj [{x)P] = uXx.[P] 

We abbreviate vXx.P as simply vx.P. The one-step transition judgments are trans- 
lated to atomic formulas as follows (we overload the symbol [.]). 

[p — >q] = [p] — v Aj/.[q] 

[P >Q] = [P] v Aj/.[Q] 



P 


xy 

— ►Q] = 


[p] 


J. xy 


P 


xy 

— ►Q] = 


[p] 


T xy 


P 


Q] = 


[p] 


T 



Notice that we mention encodings of free input actions and free input transi- 
tion judgments. Since we shall be concerned only with late transition systems, 
these will not be needed in subsequent specifications. Giving these actions and 
judgments explicit encodings, however, simplifies the argument for the adequacy of 
representations of these syntactic judgments: that is, every /3r;-normal term of type 
a corresponds to an action in the 7r-calculus, and similarly, every atomic formula 
encoding of a one-step transition judgment (in /377-normal form) corresponds to a 
one-step transition judgment in the 7r-calculus. 

Figure 2 contains a definition, called Djr, that encodes the operational semantics 
of the late transition system for the finite 7r-calculus. In this specification, free 
variables are schema variables that are assumed to be universally scoped over the 
definition clause in which they appear. These schema variables have primitive types 
such as a, n, and p as well as functional types such asa^a and n — > p. 

Notice that, as a consequence of using A-tree syntax for this specification, the 
usual side conditions in the original specifications of the 7r-calculus [Milner et al. 
1992] are no longer present. For example, the side condition that X =/= n in the 
open rule is implicit, since X is outside the scope of n and, therefore, cannot be 
instantiated with n (substitutions into logical expressions cannot capture bound 
variable names). The adequacy of our encoding is stated in the following lemma 
and proposition (their proofs can be found in [Tiu 2004]). 

Lemma 7. The function [.] is a bisection between a- equivalence classes of process 
expressions and /3rj- equivalence classes of terms of type p whose free variables (if 
any) are of type n. 

Proposition 8. Let P and Q be processes and a an action. Let n be a list of 

a 

free names containing the free names in P, Q, and a. The transition P ► Q is 

derivable in the ir-calculus if and only if . ; .1- Vn.[P ► Q] is provable in FOA AV 

with the definition D,. 
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TAU: 
IN: 
OUT: 
MATCH: 



RES: 



T P — T —> P 


A 


T 








A 








in X M ——^ M 




T 






T xy 


A 








out x y P > P 




T 






A 


A 




A 




mutch x x P ► Q 




p 




Q 


A 


A 




A 




match x x P >■ Q 




P 




Q 




A 




A 




P + Q R 


P 




R 




A 




A 




P + Q > R 


Q 




R 




A 




A 




P + Q R 




p 




R 




A 




A 




P + Q R 




Q 




R 




A 




A 




P\Q^P'\Q 




p 




P< 




A 




A 




P 1 Q — ► P 1 Q' 




Q 




Q' 




A 




A 




Q Xn(M n \ Q) 




p 




M 




A 




A 




| Q \n(P | Nn) 




Q 




N. 



un.Pn 
A 



Am vn.P'nm 
T X 



un.LJn 

A 

un.Pn 

T X 

OPEN: un.Mn k M' 

r 

CLOSE: P\Q >vn.{Mn\Nn) 

P I Q — ^ vn.(Mn | Nn) 
COM: P I Q — U MY | Q' 

P | Q P' | NY 



Vn(Pn > Qn) 

A 

Vn(Pn >■ P'n) 

T In 

Vn(Mn ► M'n) 

ix fx 

BX.P M A Q N 

T x ix 

BX.P M A Q N 

IX ] XY 

BX.P M A Q ► Q' 

T XY I X 

BX.P > P' A Q N 



Fig. 2. Definition clauses for the late transition system. 



If our goal was only to correctly encode one-step transitions for the 7r-calculus 
then we would need neither V nor definitions. In particular, let be the result 
of replacing all V quantifiers in D,,- with V quantifiers. A slight generalization of 
Proposition 4 (see [Miller and Tiu 2005; Tiu 2004]) allows us to conclude that 

. ; . i- Vn.[P > Q] is provable in FOX AV with the definition if and only if 

. ; . i- Vn.[P ► Q] is provable in FOA AV with the definition D^. Furthermore, we 

can also do with the simpler notions of theory or assumptions and not definition. In 
particular, let be the set of implications that result from changing all definition 
clauses in into reverse implications (i.e., the head is implied by the body). 

We can then conclude that . ; . i- Vn.[P > Q] is provable in FOA AV with the 

definition if and only if .; i- Vn.[P > Q] is provable in intuitionistic 

(and classical) logic. In fact, such a specification of the one-step transitions in the 
7r-calculus as a theory without V dates back to at least Miller and Palamidcssi 
[1999]. 

Definitions and V are needed, however, for proving non-Horn properties (that is, 
properties requiring a strong notion of negation). The following proposition is a 
dual of Proposition 8. Its proof can be found in the appendix. 
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Proposition 9. Let P and Q be processes and a an action. Let n be a list of 

a 

free names containing the free names in P, Q, and a. The transition P ► Q is 

a 

not derivable in the tt -calculus if and only if . ; . i- ^Vn.[P ► Q] is provable in 

FOX A v with the definition D T . 

The following example illustrates how a negation can be proved in FOA Av . 
When writing encoded process expressions, we shall use, instead, the syntax of the 
7r-calculus along with the usual abbreviations: for example, when a name z is used 
as a prefix, it denotes the prefix z(w) where w is vacuous in its scope; when a name 
z is used as a prefix it denotes the output prefix za for some fixed name a. We 
also abbreviate (y)xy.P as x(y).P and the process term is omitted if it appears 
as the continuation of a prefix. We assume that the operators | and + associate to 
the right, e.g., wc write P + Q + R to denote P + (Q + R). 

Example 10. Consider the process (y)([x = y]xz), which could be the continua- 
tion of some other process which inputs x on some channel, e.g., a(x).(y)[x = y]xz. 
Since the bound variable y is different from any name substituted for x, that process 
cannot make a transition and the following formula should be provable. 

\/xVz\/Q\/a.[((y)[x = y]{xz) Q) D _L] 

Since y is bound inside the scope of x, no instantiation for x can be equal to y. 
The formal derivation of the above formula is (ignoring the initial uses of D 1Z and 
Vft): 

a defC 

{x,z,Q',a}; y>([x = y](xz.O) > Q'y) ■- _L ^ 



{x,z,Q',a}; . >Vy.([x = y](xz.O) ► Q'y) _L _ 

a defC 

{x, z,Q,a}; . > {(y)[x = y](xz.O) > Q) ■- ± 

The success of the topmost instance of defC depends on the failure of the unification 
problem Xy.x = Xy.y. Notice that the scoping of term-level variables is maintained 
at the proof-level by the separation of (global) eigenvariables and (locally bound) 
generic variables. The "newness" of y is internalized as a A-abstraction and, hence, 
it is not subject to instantiation. 

The ability to prove a negation is implied by any proof system that can also prove 
bisimulation for the 7r-calculus (at least for the finite fragment): for example, the 
negation above holds because the process (y)([x = y]xz) is bisimilar to (see the 
next section). 

5. LOGICAL SPECIFICATIONS OF STRONG BISIMILARITY 

We consider specifying three notions of bisimilarity tied to the late transition sys- 
tem: the strong early bisimilarity, the strong late bisimilarity and the strong open 
bisimilarity. As it turns out, the definition clauses corresponding to strong late and 
strong open bisimilarity coincide. Their essential differences are in the quantifica- 
tion of free names and in the presence (or the absence) of the axiom of excluded 
middle on the equality of names. The difference between early and late bisimula- 
tion is tied to the scope of the quantification of names in the case involving bound 
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input (see the definitions below). The original definitions of early, late, and open 
bisimilarity are given in [Milner et al. 1992; Sangiorgi and Walker 2001]. Here we 
choose to make the side conditions explicit, instead of adopting the bound variable 
convention in [Sangiorgi and Walker 2001]. 

Given a relation on processes 1Z, we write P 1Z Q to denote (P, Q) E 1Z. 

Definition 11. A process relation 1Z is a strong late bisimulation if 1Z is sym- 
metric and whenever P 1Z Q, 

a a 

(1) if P ► P' and a is a free action, then there is Q' such that Q ► Q' and 

P' K Q'; 

x(z) x ( z ) 

(2) if P ► P' and z £ n(P, Q) then there is Q' such that Q > Q' and, for every 

name y, P'[y/z] 1Z Q'[y/z]; and 

(3) if P ► P' and z £ n(P, Q) then there is Q' such that Q > Q' and P' 1Z Q'. 

The processes P and Q are strong late bisimilar, written P <~; Q, if there is a strong 
late bisimulation 1Z such that P 1Z Q. 

Definition 12. A process relation 1Z is a strong early bisimulation ifTZ is sym- 
metric and whenever P 1Z Q, 

a a 

(1) if P ► P' and a is a free action, then there is Q' such that Q ► Q' and 

P' 1Z Q', 

x(z) x ( z ) 

(2) if P > P' and z ^ n(P, Q) then for every name y, there is Q' such that Q ► Q' 

and P'[y/z] K Q'[y/z], 

(3) if P ► P' and z n(P, Q) then there is Q' such that Q ► Q' and P' 1Z Q'. 

The processes P and Q are strong early bisimilar, written P ~ e Q, if there is a strong 
early bisimulation 1Z such that P 1Z Q. 

Definition 13. A distinction D is a finite symmetric and irreflexive relation on 
names. A substitution 9 respects a distinction D if (x, y) € D implies x6 ^ y6. 
We refer to the substitution 9 as a D- substitution. Given a distinction D and a D- 
substitution 9, the result of applying 9 to all variables in D, written D9, is another 
distinction. We denote by fn(D) the set of names occurring in D. 

Since distinctions are symmetric by definition, when we enumerate a distinction, 
we often omit the symmetric part of the distinction. For instance, we shall write 
{(a, b)} to mean the distinction {(a, b), (b, a)}, and we shall also write fU(SxT), 
for some distinction D and finite sets of names S and T, to mean the distinction 
DU{S xT)U{T x S). 

Following Sangiorgi [Sangiorgi 1996], we use a set of relations, each indexed by a 
distinction, to define open bisimulation. 

Definition 14. The indexed set S = {Sd}d of process relations is an indexed 
open bisimulation if for every distinction D, the relation So is symmetric and for 
every 9 that respects D, if P Sd Q then: 
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cbisim P Q = VAVP' [P ► P' D 3Q'. Q ► Q' A ebisim P' Q'] A 

V^VQ' [Q Q' D BP'. P -^-> P' A cbisim Q' P'] A 
VXVP' [P — ^ P' D Vw3Q'. Q — ^ Q' A ebisim (P'w) (Q'w)] A 
VXVQ' [Q — ^ Q' D Vw3P'. P — ^ P' A ebisim (Q'w) (P'w)] A 
VXVP' [P — ^ P' D 3Q'. Q — ^ Q' A Vw.ebisim (P'w) (Q'w)] A 
VXVQ' [Q — ^ Q' D 3P'. P — ^ P' A Vw.ebisim (Q'w) (P'w)} 

Ibisim P Q= V^VP' [P P' D 3Q'. Q -^-> 0' A Ibisim P' Q'\ A 
V.4VQ' [0 0' 3 3P'. P P' A ibisim 0' f] A 
VXVP' [P P' D 30'. Q' AVw. Ibisim (P'w) (Q'w)] A 
VXVQ' [0 — ^ 0' 3 3P'. P — ^ P' AVra. Ibisim (Q'w) (P'w)} A 
VXVP' [P P' D 30'. 0' A Vw. ibisim (P'w) (Q'w)] A 
VXVQ' [0 — ^ 0' D BP'. P — ^ P' A Vra. ibisim (Q'w) (P'w)] 



Fig. 3. Specification of strong early, ebisim, and late, Ibisim, bisimulations. 

a a 

(1) if Pd > P' and a is a free action, then there is Q' such that Qd ► Q' and 

P'S D oQ', 

iic(^z^ zc(^z^ 

(2) if P6 > P' and z <£ n(P0, Q9) then there is Q' such that Q0 ► Q' and 

P' S D9 Q', 

(3) if P0 > P' and z n(P0, Q6>) then there is Q' such that Q6 ► Q' and P' S D > Q' 

where D' = DO U ({z} x fn(P0, Q6>, D0)). 

The processes P and Q are strong open D-bisimilar, written P ^ Q, if there is an 
indexed open bisimulation S such that P Sd Q- The processes P and Q are strong 
open bisimilar if P ~® Q. 

Note that we strengthen a bit the condition 3 in Definition 14 to include the 
distinction ({z} x fn(£)0)). Strengthening the distinction this way does not change 
the open bisimilarity, as noted in [Sangiorgi and Walker 2001], but in our encoding 
of open bisimulation, the distinction D is part of the specification and the modified 
definition above helps us account for names better. 

Early and late bisimulation can be specified in FO\ AV using the definition 
clauses in Figure 3. The definition clause for open bisimulation is the same as 
the one for late bisimulation. The exact relationship between these definitions and 
the bisimulation relations repeated above will be stated later in this section. 

In reasoning about the specifications of early/late bisimulation, we encode free 
names as V-quantificd variables whereas in the specification of open bisimula- 
tion we encode free names as V-quantified variables. For example, the processes 
Pxy = (x\y) and Qxy = (x.y + y.x) are late bisimilar. The corresponding en- 
coding in FOA AV would be VxVy .Ibisim (Pxy) (Qxy). The free names x and y 
should not be V-quantified for the following, simple reason: in logic we have the 
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implication VxVy lhisim (Pxy) (Qxy) D Vz lhisim (Pzz) (Qzz). That is, cither 
VxVy lhisim (Pxy) (Qxy) is not provable, or it is provable and we have a proof of 
\/z lhisim (Pzz) (Qzz). In either case we lose the adequacy of the encoding. 

The definition clauses shown in Figure 3 do not fully capture early and late 
bisimulations, since there is an implicit assumption in the definition of these bisim- 
ulations that name equality is decidable. This basic assumption on the ability to 
decide the equality among names is one of the differences between open and late 
bisimulation. Consider, for example, the processes (taken from [Sangiorgi 1996]) 

P = x(u).(t.t + t) and Q = x(u).(t.t + r + t.[u = z]t). 

As shown in [Sangiorgi 1996] P and Q are late bisimilar but not open bisimilar: 
establishing late bisimulation makes use of a case analysis that depends on whether 
the input name u is equal to z or not. Decidability of name equality, in the case of 
early and late bisimulation, is encoded as an additional axiom of excluded middle 
on names, i.e., the formula \/x\fy(x = y\l x ^ y). Note that since we allow dynamic 
creation of scoped names (via V), we must also state this axiom for arbitrary 
extensions of local signatures. The following set collects together such generalized 
excluded middle formulas: 

£ = {Vni • • • Vn fe VxVy(x = y V x ^ y) \ k > 0}. 

We shall write X Cf £ to indicate that A" is a finite subset of £ . 

The following theorem states the soundness and completeness of the ebisim and 
lhisim specifications with respect to the notions of early and late bisimilarity in the 
7r-calculus. By soundness we mean that, given a pair of processes P and Q, if the 
encoding of the late (early) bisimilarity is provable in FOA AV then the processes 
P and Q are late (early) bisimilar. Completeness is the converse. The soundness 
and completeness of the open bisimilarity encoding is presented at the end of this 
section, where we consider the encoding of the notion of distinction in the 7r-calculus. 

Theorem 15. Let P and Q be two processes and let h be the free names in P and 
Q. Then P Q if and only if the sequent . ; X *- Vri.lbisim P Q is provable for some 
XC f £. 

Theorem 16. Let P and Q be two processes and let n be the free names in P and 
Q. Then P ~ e Q i/ and only if the sequent . ; X t- Vn. ebisim P Q is provable for 
some X Cf £. 

It is well-known that the late bisimulation relation is not a congruence since 
it is not preserved by the input prefix. Part of the reason why the congruence 
property fails is that in the late bisimilarity there is no syntactic distinction made 
between names which can be instantiated and names which cannot be instanti- 
ated. Addressing this difference between names is one of the motivations behind 
the introduction of distinctions and open bisimulation. There is another important 
difference between open and late bisimulation; in open bisimulation names are in- 
stantiated lazily, i.e., only when needed. The lazy instantiation of names is intrinsic 
in FOX AV ; eigenvariables are instantiated only when applying the de£C-rule. The 
syntactic distinction between names that can be instantiated and those that cannot 
be instantiated are reflected in FOX AV by the difference between the quantifier V 
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and V. The alternation of quantifiers in FOA AV gives rise to a particular kind of 
distinction, the precise definition of which is given below. 

Definition 17. A quantifier prefix is a list Q1X1Q2X2 ■ ■ ■ Q n x n for some n > 0, 
where Qi is either V or V. If Qx is the above quantifier prefix, then the Qx- 
distinction is the distinction 

{(xi,Xj), (xj,Xi) I i ^ j and Qj = Qj = V, or i < j and Q l = V and Qj = V}. 

Notice that if Qx consists only of universal quantifiers then the Qx-distinction 
is empty. Obviously, the alternation of quantifiers does not capture all possible 
distinction, e.g., the distinction 

{(x, y), (y, x), (x, z), (z, x), (u, z), (z, u)} 

does not correspond to any quantifier prefix. However, we can encode the full notion 
of distinction by an explicit encoding of the unequal pairs, as shown later. 

It is interesting to see the effect of substitutions on D when D corresponds to a 
prefix Qx. Suppose Qx is the prefix QiuyxQ^vVyQ^w. Since any two V-quantificd 
variables are not made distinct in the definition of Qx prefix, there is a 9 which 
respects D and which can identify x and y. Applying 9 to D changes D to some D' 
which corresponds to the prefix Q\vNzQ2vQ^w. Interestingly, these two prefixes 
are related by logical implication: 

QiuVxQ2vVyQ 3 w.P D QiuVzQ 2 vQ3W.P[z/x,z/y] 

for any formula P. This observation suggests the following lemma. 

Lemma 18. Let D be a Qx- distinction and let 9 be a D -substitution. Then the 
distinction D9 corresponds to some prefix Q'y such that Qx.P D Q'y.P9 for any 
formula P such that fv(P) C {x}. 

Definition 19. Let D = {(xi,yi), . . . , (x n ,y n )} be a distinction. The distinc- 
tion D is translated as the formula [£)] = x\ ^ y\ A . . . A x n ^ y n . If n — then 
\D\ is the logical constant T (the empty conjunction). 

Theorem 20. Let P and Q be two processes, let D be a distinction and let Qx be 
a quantifier prefix, where x contains the free names in P, Q and D. Lf the formula 
Qx.(\D\ D lbisim P Q) is provable then P ^ Q, where D' is the union of D and 
the Qx- distinction. 

Theorem 21. Lf P ~f Q then the formula Vx.\D\ D lbisim P Q is provable, 
where x are the free names in P, Q and D. 

If a distinction D corresponds to a quantifier prefix Qx, then it is easy to show 
that Qx.jD] is derivable in FOA Av . Therefore, we can state more concisely the 
adequacy result for the class of D-open bisimulations in which D corresponds to 
a quantifier prefix. The following corollary follows from Theorem 20, Theorem 21 
and Proposition 3. 

COROLLARY 22. Let D be a distinction, let P and Q be two processes and let Qx 
be a quantifier prefix such that x contains the free names of D, P and Q, and D 
corresponds to the Qx- distinction. Then P Q if and only if\- Qx. lbisim P Q. 
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Note that, by Lemma 18, the property of being a quantifier-prefix distinction is 
closed under TD-substitution. Note also that in Definition 14(3), if DO is a quantifier- 
prefix distinction then so is 

D' = DO U ({z} x fn(P0, QO, DO)). 

That is, if DO corresponds to a quantifier prefix Qx, then D 1 corresponds to the 
quantifier prefix QxS/z. Taken together, these facts imply that one can define an 
open bisimulation relation which is indexed only by quantifier-prefix distinctions. 
That is, the family of relations {Sd}d, where each D is a quantifier-prefixed dis- 
tinction and each Sd is defined as 

Sc = {(P,Q)|P~? «}. 

is an indexed open bisimulation. 

Notice the absence of the excluded middle assumption on names in the specifi- 
cation of open bisimulation. Since FOA AV is intuitionistic, this difference between 
late and open bisimulation is easily observed. This would not be the case if the 
specification logic were classical. Since the axiom of excluded middle is present as 
well in the specification of early bisimulation (Theorem 16), one might naturally 
wonder if there is a meaningful notion of bisimulation obtained from removing the 
excluded middle in the specification of early bisimulation and V-quantify the free 
names. In other words, we would like to see if there is a notion of "open-early" 
bisimulation. In fact, the resulting bisimulation relation is exactly the same as open 
"late" bisimulation. 

Theorem 23. Let P and Q be two processes and let n be the free names in P and 
Q. Then ^n.lbisim P Q is provable if and only ifVn.ebisim P Q is provable. 

We note that while it is possible to prove the impossibility of transitions (Propo- 
sition 9) within _FOA AV , it is in general not the case with non-bisimilarity (which 
is not even recursively enumerable in the infinite setting). If we have evidence that 
two processes are not bisimilar, say, because one has a trace that the other docs 
not have, then this trace information can be used in the proof a non-bisimulation. 
Probably a good approach to this is to rely on the modal logics developed later in 
the paper: if processes are not bisimilar, there is an assertion formula that separates 
them. We have not planned to develop this particular theme since it seems to us 
to not be the main thrust of this paper: describing proofs of non-bisimilarity in the 
finite pi-calculus case is an interesting thing that could be developed on top of the 
foundation we provide. 

To conclude this section, we should explicitly compare the two specifications of 
early bisimulation in Definition 12 and in Theorem 16, the two specifications of late 
bisimulation in Definition 11 and in Theorem 15 and the two specifications of open 
bisimulation in Definition 14 and in Corollary 22. Notice that those specifications 
that rely on logic are written without the need for any explicit conditions on variable 
names or any need to mention distinctions explicitly. These various conditions are, 
of course, present in the detailed description of the proof theory of our logic, but 
it seems desirable to push the details of variable names, substitutions, free and 
bound-occurrence, and equalities into logic, where they have elegant and standard 
solutions. 

ACM Journal Name, Vol. V, No. N, 20YY. 



Proof Search Specifications of the 7r-calculus • 19 



(a) Propositional connectives and basic modality: 

(true :) P \= true = T. 

(and:) P \= Ak,B = P\=AAP^B. 

(or :) P \= AVP = P \= A\/ P |= B. 

(match :) P \= (X=X)A = P \= A. 

(match :) P |= [X=Y]A = (X = Y) D P \= A. 

(free:) P \= (X)A = 3P'(P P' A P' \= A). 

(free:) P \= [X]A = VP'(P — P' D P' |= A). 

(out :) P |= (1X)A = 3P'(P P' A Vy.P'y \= Ay). 

(out :) P |= [t/X]A = VP'(P — ^ P' D V?/.P'?/ |= Aj/). 

(in :) P |= (IX)A = 3P'(P P' A Bj/.P'?/ |= Aj/). 

(in:) P\=[iX]A = VP'(P^P'DVy.P'y^Ay). 

(b) Late modality: P 1= ^^'"^ = ^ ^ A N A,). 

P |= [IXJ'A = VP'(P P' D By.P'y |= Ay). 

, . ^ , , Vi P 1= (lX) e A = \/y3P'(P P' A P'y 1= Aj/). 

(c) Early modality: r~ \+ / w v ^_ ar w 

p |= [J.X] e A = 3yVP'(P ^?'DP'i/|=is). 

Fig. 4. Modal logics for the 7r-calculus in A-tree syntax 



6. SPECIFICATION OF MODAL LOGICS 

We now present the modal logics for the 7r-calculus that were introduced in [Milner 
et al. 1993]. In order not to confuse meta-level (FOA AV ) formulas (or connectives) 
with the formulas (connectives) of the modal logics under consideration, we shall 
refer to the latter as object formulas (respectively, object connectives). We shall 
work only with positive object formulas, i.e., we do not permit negations in those 
formulas. Note that since there are no atomic formulas in these modal logics (in 
particular, true or false are not atomic), de Morgan identities can be used to remove 
all occurrences of negations from such formulas. The syntax of the object formulas 
is as follows. 

A ::= true | false | AAA | AVA | [x = z]A \ (x = z)k 

| (a)A | [a\k | (x{y))k \ [x(y)]k \ (x(y))k \ [x(y)]k 
| (x(y)) L k | [x(y)] L k | (x(y)) E k \ [x(y)] E k 

The symbol a denotes a free action, i.e., a free input, a free output, or the silent 
action. In each of the formulas (x(y)}k, (x(y))k, (x(y)) L k and (x(y)} E k (and their 
dual 'boxed'-formulas), the occurrence of y in parentheses is a binding occurrence 
whose scope is A. We use A, B, C, D to range over object formulas. Note that we 
consider only finite conjunctions since the transition system we are considering is 
finitely branching, and, therefore, an infinite conjunction is not needed (as noted 
in [Milner et al. 1993]). We consider object formulas equivalent up to renaming of 
bound variables. 

To encode object formulas we introduce the type o' to denote such formulas and 
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introduce the following constants for encoding the object connectives: true and 
false of type o'; & and V of type d — > d — > d; (• 1 = - 2 )- 3 and [■ 1 =. 2 ]- 3 of type 
n -> n -» o' o'; (- 1 )- 2 and [- 1 ]- 2 of type a o' -» o'; and (T- 1 )- 2 , [T- 1 ]- 2 . (I- 1 )- 2 , 
[I- 1 ]- 2 , (I- 1 )'- 2 , [I- 1 ]'- 2 , (I- 1 ) 6 - 2 , and [I- 1 ] 6 - 2 of type n - (n - o') - o'. The 
translation of object formulas to A-tree syntax is given in the following definition. 

Definition 24. The following function [.] translates object formulas to /3ry-long 
normal terms of type d . 

[true] = true [false] = false 

[AAB] = [A]&[B] [AVB] = [A]V[B] 

x = y]kj = [x=y] [A] [{ x = y )A\ = (x=y) [A] 

a)A] = (a)[A] [[a] A] = [a] [A] 

x(y))kj = {]x){\y{kl) \[x{y)]k\ = \\x\{\y\k\) 

x(y))k] = (lx)(Xylkj) [[x(y)]k] = [lx](\y[kj) 

x(y)) L kj = {ix) l (Xy[k]) My)] L kj = [lx] l (\y[k}) 

x(y)) E kj = (|x} e (Ay[A]) [[x(y)] E k] = [i.*] e (Ay[A]) 

In specifying the satisfaction relation |= between processes and formulas, we 
restrict to the class of formulas which do not contain occurrences of the free input 
modality. This is because we consider only the late transition system and the 
semantics of the free input modality is defined with respect to the early transition 
system. But we note that adding this input modality and the early transition 
system does not pose any difficulty. Following Milner et. al., we shall identify an 
object logic with the set of formulas it allows. We shall refer to the object logic 
without the free input modalities as A~ . 

The satisfaction relation |= is encoded using the same symbol, which is given 
the type p — > d — > o. This satisfaction relation is defined by the clauses in Fig- 
ure 4. This definition, called VA~ , corresponds to the modal logic A defined in 
[Milner et al. 1993], minus the clauses for the free input modality. Notice that 
VA~ interprets object-level disjunction and conjunction with, respectively, meta- 
level disjunction and conjunction. Since the modal logic A~ is classical and the 
meta-logic FOA AV is intuitionistic, one may wonder whether such an encoding is 
complete. But since we consider only negation-free object formulas and since there 
are no atomic formulas, classical and intuitionistic provability coincide for the non- 
modal fragment of A~ . The definition VA~ is, however, incomplete for the full 
logic A~ , in the sense that there are true assertions of modal logics that are not 
provable using this definition alone. Using the 'box' modality, one can still encode 
some limited forms of negation, e.g., inequality of names. For instance, the modal 
judgment 

x(y).x(z).0 \= (x(y))(x(z))({x = z)true V [x = false), 

which essentially asserts that any two names are equal or unequal, is valid in A, but 
its encoding in FOX AV is not provable without additional assumptions. It turns out 
that, as in the case with the specification of late bisimulation, the only assumption 
we need to assure completeness is the axiom of excluded middle on the equality 
of names: VxVy.a; = y V x ^ y. Again, as in the specification of late bisimulation, 
we must also state this axiom for arbitrary extensions of local signatures. The 
adequacy of the specification of modal logics is stated in the following theorem. 
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Theorem 25. Let P be a process, let A be an object formula of the modal logic 
A~ . Then P |= A if and only if for some list h such that fn(P, A) C {n} and some 
X Cf £, the sequent X *- Vn.([P] |= [A]) is provable in FOX AV with definition 
VA~ . 

The adequacy result stated in Theorem 25 subsumes the adequacy for the spec- 
ifications of the sublogics of A~ . Note that we quantify free names in the process- 
formula pair in the above theorem since we do not assume any constants of type 
n. Of course, such constants can be introduced without affecting the provability of 
the satisfaction judgments, but for simplicity, we repeat our treatment of names in 
the late bisimulation setting here as well. 

Notice that the list of names n in Theorem 25 can contain more than just the free 
names of P and A. This is important for the adequacy of the specification, since in 
the modal logics for the 7r-calculus, we can specify a modal formula A and a process 
P such that the assertion P \= A is true only if there exists a new name which is not 
among the free names of both P and A. Consider, for example, the assertion 

a(x).0 \= [a(x)] L [x = ajfalse 

and its encoding in FOA AV as the formula 

in a (Xx.O) \= [J.a] i (Ax.[x=a]falsc). 

If we do not allow extra new names in the quantifier prefix in Theorem 25, then we 
would have to prove the formula 

Va.(in a (Xx.O) \= [|o]'(Aa;.[ar=a]faIse)). 

It is easy to see that provability of this formula reduces to provability of 

Va3x.(0 |= [a;=a]false). 

Since we do not assume any constants of type n, the only way to prove this would 
be to instantiate x with a, hence, 

Va.(0 |= [a=a] false) and Va.(a = a) D |= false. 

must be provable. This is, in turn, equivalent to Va.O |= false which should not 
be provable for the adequacy result to hold. The key step here is the instantiation 
of 3x. For the original formula to be provable, x has to be instantiated with a 
name that is distinct from a. This can be done only if we allow extra names in the 
quantifier prefix: for example, the following formula is provable. 

VaVb.(in a (Xx.O) \= [la] l (Xx.[x=a] false)) 

Note that in the statement of Theorem 25, the list of names n is existentially 
quantified. If one is to implement model checking for A~ using the specification in 
Figure 4, the issue of how these names are chosen needs to be addressed. Obviously, 
the free names of fn(P, A) needs to be among n. It remains to calculate how many 
new names need to be added. An inspection on the definition in Figure 4 shows 
that such new names may be needed only when bound input modalities are present 
in the modal formula. More specifically, when instantiating the name quantification 
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!P ► P'\\P = P ► P' 

IP \y(My\\P) = P M 

t 7 XY IX 

\P ► (P' I M Y)\\P = 3X.P ► P' A P >■ M 

\P vz.(Mz | Nz)\\P = 3X.P — MAP — N 



Fig. 5. Definition clauses for the 7r-calculus with replication 



(V or 3) in a definition clause for a bound input modality, such as in the definition 
clause 

P h (IX) 1 A = 3P'(P -— ^ P 1 A Vy.P'y \= Ay), 

we need to consider only cases where y is instantiated to a free name in P \= (IX) 1 A, 
and where y is instantiated to a new name. For the latter, the particular choice 
of the new name is unimportant, since the satisfiability relation for A~ is closed 
under substitution with new names (cf. Lemma 3.4. in [Milncr ct al. 1993]). One 
can thus calculate the number of new names needed based on the number of bound 
input modalities in A. 

In [Milner et al. 1993], late bisimulation was characterized by the sublogic CM 
of A~ that arises from restricting the formulas to contain only the propositional 
connectives and the following modalities: (t), (xy), (x(y)), [x — y], (x(y)) L , and 
their duals. We shall now show a similar characterization for open bisimulation. 

The following theorem states that by dropping the excluded middle and changing 
the quantification of free names from V to V, we get exactly a characterization of 
open bisimulation by the encoding of the sublogic CM . 

Theorem 26. Let P and Q be two processes. Then P ^® Q if and only if for 
every CM-formula k, it holds that h Vn([P] |= [A]) if and only if\- Vn([Q] |= [A]), 
where n is the list of free names in P, Q and A. 

7. ALLOWING REPLICATION IN PROCESS EXPRESSIONS 

We now consider an extension to the finite 7r-calculus which will allow us to rep- 
resent non-terminating processes. There are at least two ways to encode non- 
terminating processes in the 7r-calculus; e.g., via recursive definitions or replications 
[Sangiorgi and Walker 2001]. We consider here the latter approach since it leads to 
a simpler presentation of the operational semantics. To the syntax of the finite n- 
calculus we add the process expression \P. The process IP can be understood as the 
infinite parallel composition of P, i.e., P\P\ ■ ■ ■ \P\ ■ ■ -. Thus it is possible to have a 

process that retains a copy of itself after making a transition; e.g., IP ► P \ \P. 

The operational semantics for one-step transitions of the 7r-calculus with replication 
is given as the definition clauses Figure 5, adapted to the A-tree syntax from the 
original presentation in [Sangiorgi and Walker 2001]. We use the same symbol to 
encode replication in A-tree syntax, i.e., ! : p — > p. 

In order to reason about bisimulation of processes involving !, we need to move to 
a stronger logic which incorporates both induction and co-induction proof rules. We 
consider the logic Line [Tiu 2004] , which is an extension of FOX AV with induction 
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and co-induction proof rules. We first need to extend the notion of definitions to 
include inductive and co-inductive definitions. 

Definition 27. An inductive definition clause is written 

Mx.px = B p x 

where B is a closed term. The symbol = is used to indicate that the definition is 
inductive. Similarly, a co-inductive definition clause is written 

Mx.px = B p x. 

The notion of definition given in Definition 1 shall be referred to as basic definition. 
An extended definition is a collection of basic, inductive, or co-inductive definition 
clauses. 

A definition clause can be seen as a fixed point equation: in fact, Baldlc & Miller 
[2007] provide an alternative approach to inductive and co-inductive definitions 
similar to what is available in the /x-calculus. When definitions are seen as fixed 
points, provability of pt, depending on whether p is basic, inductive or co-inductive, 
means that i is, respectively, in a fixed point, the least fixed point, and the greatest 
fixed point of the underlying fixed point equation defining p. 

Notice that the head of the (co-)inductive definition clauses contains a predicate 
with arguments that are only variables and not more general terms: this restric- 
tion simplifies the presentation of the induction and co-induction inference rules. 
Arguments that are more general terms can be encoded as explicit equalities in the 
body of the clause. We also adopt a higher-order notation in describing the body 
of clauses, i.e., we use B p x to mean that B is a top-level abstraction that has 
no free occurrences of the predicate symbol p and the variables x. This notation 
simplifies the presentation of the (co-)induction rules: in particular, it simplifies 
the presentation of predicate substitutions. 

There must be some stratification on the extended definition so as not to intro- 
duce inconsistency into the logic. For the details of such stratification we refer the 
interested readers to [Tiu 2004]. For our current purpose, it should be sufficient 
to understand that mutual recursive (co-)inductive definitions are not allowed, and 
dependencies through negation are forbidden as it already is in basic definitions. 

Let px = B p x be an inductive definition. Its left and right introduction rules 
are 

x; B S x>- S x z> S t,T >- C „ S;Ti-fi>Bpt ^ 

= uL — — — riK 

Y; z>pt,T >- C S;Ti-2i>pt 

where S is the induction invariant, and it is a closed term of the same type as 
p. The introduction rules for co-inductively defined predicates are dual to the 
inductive ones. In this case, we suppose that p is defined by the co-inductive clause 
px = B p x. 

Y,; z>B pt,T >- C Y;T >- zt>S t x; S x *- B S x 

Z;z>pi,Ti-C l/ ' Y;T>-z>pt 

Here S is a closed term denoting the co-induction invariant or simulation. Induction 
rules cannot be applied to co-inductive predicates and vice versa. The deflZ and 
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defC rules, strictly speaking, are applicable only to basic definitions. But as it is 
shown in [Tiu 2004], these rules are derivable for (co-)inductive definitions: that 
is, for these definitions, deflZ can be shown to be a special case of vTZ and defC a 
special case of \iL. 

The definitions in FOX AV we have seen so far can be carried over to Line with 
some minor bureaucratic changes: e.g., in the case of bisimulations, we now need to 
indicate explicitly that it is a co-inductive definition. For instance, the definition of 
lbisim should now be indicated as a co-inductive definition by changing the symbol 
= with =. We shall now present an example of proving bisimulation using explicit 
induction and co-induction rules. We shall not go into details of the technical 
theorems of the adequacy results: these can be found in [Tiu 2004]. 

Example 28. Let P =\(z)(za | z(y).xy) and Q = W.xa. The only action P can 
make is the silent action r since the channel z is restricted internally within the 

r _ 

process. It is easy to see that P ► (z)(0 \ xa) | P. That is, the continuation of P is 

capable of outputting a free name a or making a silent transition. Obviously Q can 
make the same r action and results in a bisimilar continuation. Let us try to prove 
lbisim P Q. The simple proof strategy of unfolding the lbisim clause via deflZ will 
not work here since after the first deflZ on lbisim (but before the second deflZ on 
lbisim) wc arrive at the sequent lbisim ((z)(0 | xa) | P) (xa | Q). Since P and Q still 
occur in the continuation pair, it is obvious that this strategy is non terminating. 
We need to use the co-induction proof rules instead. 

An informal proof starts by finding a bisimulation (a set of pairs of processes) S 
such that (P, Q) G S. Let 

S' = {(Ri | • • • | R„ | P, Ti | • ■ • | T„ | Q) | n > 0, R, is (z)(0 | xa) or (z)(0 | 0) 

and Ti is either xa or 0}. 

Define S to be the symmetric closure of S' . It can be verified that S is a bisimulation 
set by showing the set is closed with respect to one-step transitions. To prove this 
formally in Line we need to represent the set S. We code the set S as the following 
inductive definition (we allow ourselves to put general terms in the head of this 
definition and to have more than one clause: it is straightforward to translate this 
definition to the restricted one give above). 

inv P Q = T. inv Q P = T. 

inv ((z)(0 | 0) | M) (0 | TV) = inv M N. 

inv (0 | N) ((z)(0 | 0) | M) = inv N M. 
inv ((z)(0 | xa) \ M) (xa | N) ^ inv M N. 
inv (xa | N) ((z)(0 | xa) | M) ^ inv N M. 

Note that for simplicity of presentation, we assume that we have two constants 
of type n, namely, x and a, in the logic (but we note that this assumption is not 
necessary). The set of pairs encoded by inv can be shown to be symmetric, i.e., the 
formula Vi?VT.inv RT D inv T R is provable inductively (using the same formula 
as the induction invariant). 

To now prove the sequent •- lbisim P Q, we can use the vlZ rule with the predicate 
inv as the invariant. The premises of the vlZ rule are the two sequents i- inv P Q 

ACM Journal Name, Vol. V, No. N, 20YY. 



Proof Search Specifications of the 7r-calculus • 25 



and R, T ; inv R T t- B RT ', where B RT is the following large conjunction 

VAVi?' [(i? i?') D 3T'.(T T') A inv R 1 T] A 

VAVT' [(T T') D 3R'.(R R') A inv V R!\ A 

VXVi?' — ^ i?') D 3T'.(T — ^ T') A Vw.inv (iZ'iu) (T'u;)] A 

VXVT' [(T T') D i?') A Vw.inv (T'to) A 

VXVi?' [(i? i?') D 3T'.(T T') A Vw.inv (R'w) (T'w)} A 

VXVT' [(T — ^ T') D 3#.(i2 A Vw.inv (T'w) (R'w)}. 

The sequent reads, intuitively, that the set defined by inv is closed under one-step 
transitions. This is proved by induction on inv. Formally, this is done by applying 
nC to inv R T, using the invariant 

XRXT.inv RT D B RT. 

The sequents corresponding to the base cases of the induction are 

inv P Q i B P Q and inv Q P i- B Q P 

and the inductive cases are given by 

inv RT D B RT t- inv ((z)(0 | 0) | R) (0 | T) D B((z)(0 | 0) | R)(0 | T), 
inv RT Z) B RT *- inv ((z)(0 \ xa) \ R) (xa \ T) D B((z)(0 \ xa) \ R)(xa \ T) 

and their symmetric variants. The full proof involves a number of cases of which 
we show one here: the other cases can be proved similarly. 

We consider a case for free output, where we have the sequent (after applying 
some right-introduction rules) 



inv RT D B RT 
inv (0)(0 | xa) | R) (xa | T) 

((z)(0 | xa) | R) -^R' 



3T'.(xa\T) ^T' Ainv R' T' (1) 



to prove. Its symmetric case can be proved analogously. The sequent (1) can be 
simplified by applying dciC to the inv predicate, followed by an instance of D C. 
The resulting sequent is 

f BRT, invRT) a 



((z)(0 | xa) | R) R' 



-3T'.(xa\T) >T'AinvR'T' (2) 



There are three ways in which the one-step transition in the left-hand side of the 
sequent (1) can be inferred (via defC), i.e., either A is xa and R' is ((z)(0 | 0) | R), or 

R -^-> R" and R' is (z)(0 | xa) | R"), or A is r and R M, R' is ((z)(Q \ 0)\Ma) 
for some X and M. These three cases correspond to the following sequents. 

BRT,invRT >- 3T'.(xa\T) V A inv ((z)(0 \ 0) \ R) V 

BRT, inv RT,R R" >- 3T'.(xa \ T) -^-» T' A inv (z)(0 \ xa) \ R") V 

BRT, inv RT,R — ^ M - 3T'.(xa \ T) V A inv ((z)(0\ 0)\Ma) T 

ACM Journal Name, Vol. V, No. N, 20YY. 



26 • A. Tiu and D. Miller 



TTZ ■ ■ 

- T deiTL • • • , inv R T t— inv R T lmt 

xa Wpf7? 

- (xa I T) > (0 | T) ••■ ,inv R T - inv ((z)(0 0) | R) (0 T) 

z A72- 

B RT, inv RT t- (xa I T) (0 I T) A inv ((z)(0 I 0) I R) (0 I T) 

— 3K 

BRT, inv RT >- BT' .(xa | T) T" A inv ((z)(0 | 0) | iJ) T' 

Fig. 6. A derivation in Line 



init 



li 



i? R" • — i? R" 3V.T V A inv il" V ■ 

; 3 c 

R ► R" D 3V.T ► V A inv R" V, R > R" ■ 

; ; V£;V£ 

V(7VA' R ► U D 3V.T ► V A inv U V, R ► R" < 

A A AC 

BRT, R ► R" i — 3T'.(xa \ T) ► T< A inv (z)(0 \ xa) | R") V 

where II is 

init 

A A 

T ► V t-T > V init 

—A A dcfn invR"V^invR"V 

T > V (xa | T) > (xa V) inv R" V - inv ((z)(0 | xa) | R") (xa \ V) 

A A A ^ 
T > V, inv R" V -(xa\ T) ► (xa \ V) A inv (z)(Q \ xa) \ R") (xa \ V) 

A A 371 

T ► V, inv R" V <- 3T'.(xa \ T) ► T' A inv (z)(0 | xa) | R") T' 

3C\ AC 

A A 

3V.T ► V A inv R" V •- 3T' .(xa \ T) ► T' A inv (z)(Q | xa) \ R") T' 

Fig. 7. A derivation in Line given in two parts 

The proof of the first sequent is given in Figure 6 and of the second sequent is given 
in Figure 7. The proof for the third sequent is not given but it is easy to see that 
it has a similar structure to the proof of the second one. 

8. AUTOMATION OF PROOF SEARCH 

The above specifications for one-step transitions, for late, early, and open bisimu- 
lation, and for modal logics are not only declarative and natural, they can also, in 
many cases, be turned into effective and symbolic implementations by using tech- 
niques from the proof search literature. In this section we outline high-level aspects 
of the proof theory of FOA AV that can be directly exploited to provide implemen- 
tations of significant parts of this logic: we also describe how such general aspects 
can be applied to some of our 7r-calculus examples. 

8.1 Focused proof search 

Since the cut-elimination theorem holds for FOA AV , the search for a proof can be 
restricted to cut-free proofs. It is possible to significantly constrain cut-free proofs 
to focused proofs while still preserving completeness. The search for focused proofs 
has a simple structure that is organized into two phases. The asynchronous phase 
applies only invertible inference rules in any order and until no additional invertible 
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rules can be applied. The synchronous phase involves the selection of (possibly) 
non-invertiblc inference rule and the hereditary (focused) application of such in- 
ference rules until invertible rules are possible again. Andreoli [Andreoli 1992] 
provided such a focused proof system for linear logic and proved its completeness. 
Subsequently many focusing systems for intuitionistic and classical logic have been 
developed, cf. [Liang and Miller 2007] for a description of several of them. Baelde 
and Miller [2007] present a focusing proof system for the multiplicative and ad- 
ditive linear logic (MALL) extended with fixed points and show that that proof 
system provides a focusing proof system for a large subset of FOX A . Focused proof 
systems are generally the basis for the automation of logic programming languages 
and they generalize the notion of uniform proofs [Miller et al. 1991]. 

8.2 Unification 

Unification can be used in the implementation of FOX AV proof search in two dif- 
ferent ways. One way involves the implementation of the defC inference rule and 
the other way involves the determination of appropriate terms for instantiating the 
3 quantifier in the 31Z inference rule and the V quantifier in the VX inference rule. 
In the specifications presented here, unification only requires the decidable and 
determinate subset of higher-order unification called higher- order pattern (or L\) 
unification [Miller 1991]. This style of unification, which can be described as first- 
order unification extended to allow for bound variables and their mobility within 
terms, formulas, and proofs, is known to have efficient and practical unification al- 
gorithms that compute most general unifiers whenever unifiers exist [Nipkow 1993; 
Nadathur and Linnell 2005]. The Teyjus implementation [Nadathur and Mitchell 
1999; Nadathur 2005] of AProlog provides an effective implementation of such uni- 
fication, as does Isabclle [Paulson 1990] and Twelf [Pfenning and Schiirmann 1999]. 

8.3 Proof search for one-step transitions. 

Computing one-step transitions can be done entirely using a conventional, higher- 
order logic programming language, such as AProlog: since the definition T)^ for 
one-step transitions is Horn, we can use Proposition 4 to show that for the pur- 
poses of computing one-step transitions, all occurrences of V in T) n can be changed 
to V. The resulting definition is then a AProlog logic program for which Teyjus 
provides an effective implementation. In particular, after loading that definition, 

A 

we would simply ask the query P ► P' , where P is the encoding of a particular 

7r-calculus expression and A and P' are free variables. Standard logic programming 
interpreters would then systematically bind these two variables to the actions and 

A 

continuations that P can make. Similarly, if the query was P P , logic pro- 
gramming search would systematically return all bound actions (here, A has type 
n — ► a) and corresponding bound continuations (here, P' has type n — ► p) . 

8.4 Proof search for open bisimulation. 

Theorem proving establishing a bisimulation goal is not done via a conventional 
logic programming system like AProlog since such systems do not implement the 
V-quantifier and the case analysis and unification of eigenvariables that is required 
for the defC inference rule. None-the-less, the implementation of proof search for 

ACM Journal Name, Vol. V, No. N, 20YY. 



28 • A. Tiu and D. Miller 



open bisimulation is easy to specify using the following key steps. (Sequents missing 
from this outline are trivial to address.) In the following, we use the quantifier prefix 
Q to denote either Vx or Vx or the empty quantifier prefix. 

(1) When searching for a proof of S ; •— cr r> Q.lbisim P Q apply right-introduction 
rules: i.e., simply introduce the quantifier Q (if it is non-empty) and then open 
the definition of lbisim. 

A 

(2) If the sequent has a formula on its left-hand side, then that formula is at>P ► 

P' , where P denotes a particular term where all its non-ground subterms are 
of type n, and A and P' are terms, possibly containing eigenvariables. In this 
case, select the deiC inference rule: the premises of this inference rule will then 
be either (i) the empty-set of premises (which represents the only way that 
proof search terminates), or (ii) a set of premises that are all again of the form 
of one-step judgments, or (Hi) the premise contains T instead of an atom on 
the left, in which case, we must consider the remaining case that follows (after 
using the weakening wC inference rule). 

(3) If the sequent has the form £ ; >- <r>3Q'[Q Q'AB(P', Q% where B(P' , Q') 
involves a recursive call to lbisim and where P' is a closed term, then we must 
instantiate the existential quantifier with an appropriate substitution. Standard 
logic programming techniques can be used to find a substitution for Q' such 

A 

that Q > Q' is provable (during this search, eigenvariables and locally scoped 

variables are treated as constants and P and A denote particular closed terms). 
There might be several ways to prove such a formula and, as a result, there 
might be several different substitutions for Q'. If one chooses the term T to 
instantiate Q' , then one proceeds to prove the sequent £ ; i- <jt> Q.lbisim P' T. 

If the sequent has instead the form E ; i- a > 3Q'[Q Q' A B(P' , Q')], then 

one proceeds in an analogous manner. 

Proof search for the first two cases is invertible (no backtracking is needed for those 
cases). On the other hand, the third case is not invertible and backtracking on pos- 
sibly all choices of substitution term T might be necessary to ensure completeness. 

8.5 The Bedwyr model checker 

The various implementation techniques mentioned above — unification of A-terms, 
backtracking focused proof search, unfolding definitions — have all been implemented 
within the Bedwyr model checking system [Baeldc ct al. 2007], which implements 
proof search for a simple fragment [Tiu et al. 2005] of FOX AW . The definitions 
of one-step transitions and of bisimulation are in this fragment and the Bedwyr 
system is a complete implementation of open bisimulation for the finite 7r-calculus: 
in particular, it provides a decision procedure for open-bisimulation. Bedwyr also 
implements limited forms of the modal logic described in Section 6. It is also possi- 
ble to use Bedwyr to explore why two 7r-calculus processes might not be bisimilar: 
for example, it easy to define traces for such processes and then to search for a 
trace that holds of one process but not of the other. 

Since Bedwyr is limited to intuitionistic reasoning, it does not fully implement 
late bisimulation. We now speculate briefly on how one might extend a system like 
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Boclwyr to treat late bisimulation. 
8.6 Proof search for late bisimulation. 

The main difference between doing proof search for open bisimulation and late 
bisimulation is that in the latter we need to select and instantiate formulas from 
the set £ and explore the cases generated by the resulting V£ rule. For example, 
consider a sequent of the form T,,x ; £ ,T X *- C x , where T X U{C X } is a set of formulas 
which may have x free. One way to proceed with the search for a proof would be 
to instantiate Vz(x = z V x ^ z) twice with the constants a and b. We would then 
need to consider proofs of the sequent X, x ; x = aV x ^ a,x = b\/ x ^ b,T x i- C x . 
Using the VX rule twice, we are left with four sequents to prove: 

(1) X, x ; x — a, x — b, T x *- C x which is proved trivially since the equalities are 
contradictory; 

(2) X, x ; x = a, x =/= b, Y x t- C x , which is equivalent to X ; r a i- C a ; 

(3) X, x ; x ^ a, x ~ b, T x t- C x , which is equivalent to X ; Ft, •- Ci>] and 

(4) T,,x; x ^ a,x ^ b, T x t- C x . 

In this way, the excluded middle can be used with a set of n items to produce n + 1 
sequents: one for each member of the set and one extra sequent to handle all other 
cases (if there are any). 

The main issue for implementing proof search with this specification of late bisim- 
ulation is to determine what instances of the excluded middle are needed: answering 
this question would then reduce proof search to one similar to open bisimulation. 
There seems to be two extreme approaches to take. At one extreme, we can take 
instances for all possible names that are present in our process expressions: deter- 
mining such instances is simple but might lead to many more cases to consider than 
is necessary. The other extreme would be more lazy: an instance of the excluded 
middle is suggested only when there seems to be a need to consider that instance. 
The failure of a deflZ rule because of a mismatch between an eigenvariable and a 
constant would, for example, suggest that excluded middle should be invoked for 
that eigenvariable and that constant. The exact details of such schemes and their 
completeness are left for future work. 

9. RELATED AND FUTURE WORK 

There are many papers on topics related to the encoding of the operational se- 
mantics of the 7r-calculus into formal systems. An encoding of one-step transitions 
for the 7r-calculus using Coq was presented in [Despeyroux 2000] but the problem 
of computing bisimulation was not considered. Honsell, Miculan, and Scagnetto 
[Honscll ct al. 2001] give a more involved encoding of the 7r-calculus in Coq and 
assume that there are an infinite number of global names. They then build formal 
mechanisms to support notions such as "freshness" within a scope, substitution 
of names, occurrences of names in expressions, etc. Gabbay [Gabbay 2003] does 
something similar but uses the set theory developed in [Gabbay and Pitts 2001] 
to help develop his formal mechanisms. This formalism is later given a first-order 
axiomatization by Pitts [Pitts 2003], resulting in an extension of first-order logic 
called nominal logic. Aspects of nominal reasoning have been incorporated into the 
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proof assistant Isabelle [Urban and Tasson 2005] and there has been some recent 
work in formalizing the meta theory of the 7r-calculus in this framework [Bengt- 
son and Parrow 2007]. Hirschkoff [Hirschkoff 1997] also used Coq but employed 
dcBruijn numbers [de Bruijn 1972] instead of explicit names. In the papers that 
address bisimulation, formalizing names and their scopes, occurrences, freshness, 
and substitution is considerable work. In our approach, much of this same work 
is required, of course, but it is available in rather old technology, particularly, via 
Church's Simple Theory of Types (where bindings in terms and formulas were put 
on a firm foundation via A-tcrms), Gentzen's sequent calculus, Huet's unification 
procedure for A-terms [Huet 1975], etc. More modern work on proof search in 
higher-order logics is also available to make our task easier and more declarative. 

The encoding of transitions for the 7r-calculus into logics and type systems have 
been studied in a number of previous works [Honsell et al. 1998; Despeyroux 2000; 
Honsell et al. 2001; Rockl et al. 2001; Bengtson and Parrow 2007]. Our encoding, 
presented as a definition in Figure 2, has appeared in [Miller and Palamidessi 1999; 
Miller and Tiu 2003] . The material on proof automation in Section 8 clearly seems 
related to symbolic bisimulation (for example, see [Hennessy and Lin 1995; Boreale 
and Nicola 1996]) and on using unification and logic programming techniques to 
compute symbolic bisimulations (for example, see [Basu et al. 2001; Boreale 2001]). 
Since the technologies used to describe these other approaches are rather different 
than what is described here, a detailed comparison is left for future work. 

It is, of course, interesting to consider the general 7r-calculus where infinite be- 
haviors arc allowed (by including ! or recursive definitions). In such cases, one 
might be able to still do many proofs involving bisimulation if the proof system 
included induction and co-induction inference rules. We have illustrated with a 
simple example in Section 7 how such a proof might be done. Inference rules for in- 
duction and co-induction appropriate for the sequent calculus have been presented 
in [Momigliano and Tiu 2003] and a version of these rules that also involves the 
V quantifier has been presented in the first author's PhD thesis [Tiu 2004]. Open 
bisimulation, however, has not been studied in this setting. We plan to investigate 
further how these stronger proof systems can be used to establish properties about 
7r-calculus expressions with infinite behaviors. 

Specifications of operational semantics using a logic should make it possible to 
formally prove properties concerning that operational semantics. This was the case, 
for example, with specifications of the evaluation and typing of simple functional 
and imperative programming languages: a number of common theorems (detcrmi- 
nacy of evaluation, subject-reduction, etc) can be naturally inferred using logical 
specifications [McDowell and Miller 2002]. We plan to investigate using our logic 
(also incorporating rules for induction and co-induction) for formally proving parts 
of the theory of the 7r-calculus. It seems, for example, rather transparent to prove 
that open bisimilarity is a congruence in our setting (see [Ziegler et al. 2005] for a 
more general class of congruence relations) . 

10. CONCLUSION 

In this paper we presented a meta-logic that allows for declarative specifications of 
judgments related to the 7r-calculus. These specifications are done entirely within 
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the logic and without any additional side conditions. The management of name 
bindings in the specification of one-step transition, bisimulation, and modal logic 
is handled completely by the logic's three levels of binding, namely, A-bindings 
within terms, the formula-level binders (quantifiers) V, 3, and V, and the proof- 
level bindings for eigenvariables and local (generic) contexts. 

This paper can be seen as part of a tradition of treating syntax more abstractly. 
The early, formal treatments of syntax by, for example, Church and Godcl, for- 
malized terms and formulas as strings. Eventually, that treatment of syntax was 
replaced by more abstract objects such as parse trees: it is on parse trees that 
most syntactic descriptions of the A-calculus and 7r-calculus are now given. Unfor- 
tunately, parse trees do not come equipped with primitive notions of bindings. To 
fix that problem, for example, Prawitz introduced "discharge functions" [Prawitz 
1965] and de Bruijn introduced "nameless dummies" [de Bruijn 1972]. The move 
from parse trees to A-trees, along with the use of a logic able to deal intimately 
with syntactic abstractions, is another way to fix this problem. 

A significant part of this paper deals with establishing adequacy results that show 
a formal connection between the "standard" definitions of judgments concerning 
the 7r-calculus and the definitions given in logic (see the appendices for the details). 
These adequacy results are all rather tedious and shallow but seem necessary to 
ensure that we have not invented our own problems for which we provide good 
solutions. It would seem, however, that the tediousness nature of the adequacy re- 
sults can be attributed to the large gap between our proof-theory approach and the 
"standard" approach used to encode the 7r-calculus: now that some of these basic 
adequacy results have been written down, the adequacy results for any additional 
logical specifications using A-tree syntax should follow more immediately. 

We note that our effort in developing a proof theoretic setting for the 7r-calculus 
has led us to find new description for, in particular, the underlying assumptions on 
names in open and late bisimulatons. This examination has led us to characterize 
the differences between open and late bisimulations in a simple and logical fashion: 
in particular, as the difference in name quantification and in the assumption about 
decidability of name equality. 
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A. PROPERTIES OF ONE-STEP TRANSITIONS 

To prove the adequacy results for the encodings of bisimulation and modal logics, 
we shall consider some derived rules which allow us to enumerate all possible next 
states from a given process. In the following, we use the notation a n — > to denote 
the type a —>• ■ •—> q — ► 0, and we write a* — > to denote a n — ► for some n > 0. 

n 

Due to space limits, some results in this section are stated without proofs, but they 
can be found in the electronic appendix of the paper. 

A A 

Definition 29. The judgments at>P ► Q and at>P Q are higher-order 

patterned judgments, or patterned judgments for short, if 

(1) every occurrence of the free variables in the judgment is applied to distinct 
names, which are either in a or bound by A-abstractions, i.e., M a\ ■ ■ ■ a n , 
where a, G a or it is bound by some A-abstraction, and a\, . . . , a n are pairwise 
distinct, 

(2) the only occurrences of free variables in P are those of type n n — > n where 
n > 0, and the only occurrences of free variables in A are those of type n n — > n 
or n" — ► a, 

(3) and Q is of the form (M a) for some variable M. 

A A 

The process term P in the transition predicate P ► Q and P ^ Q is called a 

primary process term. The notion of patterned judgments extends to non-atomic 
judgments, which arc defined inductively as follows: 

— a > T is a patterned judgment, 

— if cr > B and a > C are patterned judgments such that both judgments have no 
free variables in common which are of type n* — ► p, then a > B A C is a patterned 
judgment, 

— if ax > £> is a patterned judgment, then rr > Vx.B is a patterned judgment, 

— and if o~\>B[h a/y] is a patterned judgment then o~t>3y.B is a patterned judgment, 
provided that h is of type n n — > a or n™ — > p, and ft, is not free in 3y.B. 

Two patterned judgments .4 and B are p-compatible if they do not have variables 
in common which are of type n* — > p. 

The restrictions on the occurences of free variables in patterned judgments are 
similar to the restrictions used in higher-order pattern unification. This is to en- 
sure that proof search for patterned judgments involves only higher-order pattern 
unification. 

Let p be a substitution and let S be a signature. We write S h p if for every 
x G dom(p) of type r, we have S h : r. Two signatures S and £' are said to 
be compatible if whenever x : t\ G E and y : T2 G x — y implies n = t 2 . Given 
two signature-and-substitution pairs (Si, pi) and (Y,2,P2) such that Si and S2 are 
compatible, and Si h pi and S2 h P2, wc write (Si, pi) o (S2,p2) to denote the 
pair (S1P2 U S 2 ,pi o p 2 ). This definition of composition extends straightforwardly 
to composition between a pair and a set or a list of pairs. 
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Let us call a signature-substitution pair (£, p) a solution for a patterned judgment 
C if £ b p and £ ; . i- Cp is provable. In proving the adequacy of the encoding of 
bisimulation and modal logics for the tt calculus, we often want to find all possible 
solutions to a given transition relation, which corresponds to enumerating all pos- 
sible continuations of a given process. For this purpose, we define a construction of 
"open" derivation trees for a given list of patterned judgments A. Open derivation 
trees are trees made of nodes which are instances of certain inference rules. This 
construction gives us a set of derivation trees for the sequent A b _L, following a 
certain order of rule applications. As we shall see, the construction of the trees 
basically amounts to application of left-introduction rules to A. We are interested 
in collecting all the substitutions generated by the defC rule in these trees, which 
we will show to correspond to the solutions for the patterned judgments in A. 

Definition 30. Let A be a list of patterned judgments such that its elements 
are pairwise p-compatible, and let (£, 9) be a pair such that £ b 9, and that the 
free variables of A are in £. An open inference rule is an inference on triples of the 
form (£', A', 9') where £' is a signature, A' is a list of patterned judgments and 9' 
is a substitution such that £' b 6'. We will use the notation (£', 6') b A' to denote 
such a triple. Open derivation trees are derivations constructed using the following 
open inference rules: 

(£,60 h A' 
open — t 



(£,6>)b[] (£, 6) b n > T, A' 

(£,6>) b n > A, n > 5, A' (EU{/i},0) \- ht> B (tin), A' 

(£,6>) hSi>iAB,A' A (£,6>) b n > Bx.Bx, A' 3 

{(Ep, g ° g) I- Bp, A P | g e CSU(A, H), H = B} 

(E, 0)1- A A ; 

In the 3-rule, the eigenvariable ft- is new, i.e., it is not in E. In the cfe/-rule, we require 
that for every p e CSU(A,H), the judgments Bp,Ap are patterned judgments. 
That is, we restrict the CSU's to those that preserves the pattern restrictions on 
judgments. The instances of the open-rule in an open derivation are called open 
leaves of the derivation. Given an open derivation II, we denote with £(II) the set 
of signature-substitution pairs in the open leaves of II. 

Definition 31. The measure of a patterned judgment at>B, written |<r > B\, 
is the number of process constructors occuring in the primary terms in B. The 
measure of a list of judgments A is the multiset of measures of the judgments in A. 

Lemma 32. Let A be a list of patterned judgments such that its elements are 
pairwise p-compatible, and whose variables are in a given signature E. Let 9 be a 
substitution such that E h 9. Then there exists an open derivation II of (E, 9) b A. 

Lemma 33. Let Ei, £ 2 , 6\ and 9 2 be signatures and substitutions such that 
Ei b 9\ and £2 b 62- Let A be a list of pairwise p-compatible patterned jugdments 
such that all its free variables are in £2. If there exists an open derivation IL of 
(£i#2 U £2, 6*i o 6*2) b A, then there exists an open derivation II2 of (£2, 62) b A of 
the same height such that £(IIi) = (£1, 6\) o £(n 2 ) and vice versa. 

ACM Journal Name, Vol. V, No. N, 20YY. 



Proof Search Specifications of the 7r-calculus • 37 



The following lemma states that the open leaves in an open derivation are solu- 
tions of the patterned judgments on the root of the derivation tree. This can be 
proved by induction on the height of derivation and case analysis on the definition 
clauses of one-step transitions. 

Lemma 34. Let A be a list of patterned judgments such that its elements are 
pairwise p-compatible and whose variables are in a given signature S. Let II be 
an open derivation of (£, e) h A. Then for every element C G A and every pair 
(£', 9) £ £(n), the sequent E' ; . i- CO is provable. 

We are now ready to define the following derived rules. The rule one/ enumerates 
all possible free-actions that a process can perform. Given a patterned judgment 

A A 

n > P ► Q and an open derivation II of (S, e) h n > P > Q, the onef rule, 

applied to this judgment, is as follows: 

{X;TQ^CO\(i:',0)eC(IL)} ^ 
S; nt>P Q,T *-C 

The corresponding rule for bound input or bound output transition is defined anal- 
ogously, i.e., 

{£'; TO t- CO \ (E',0) G £(IT)} 



E ; n > P M, r i- C 



onef,. 



where IT is an open derivation of (E, e) h nt> P ^ M. Since open inference rules 

are essentially invertible left-rules of FOX AV , these derived rules are sound and 
invertible. 

Lemma 35. The rules onef and oneb are invertible and derivable in POA Av . 
We can now prove Proposition 9. 

a 

Proof. Suppose that P ► Q does not hold in the 7r-calculus. We show that 

the sequent -iVn.[P > Q] is derivable in FOX . This is equivalent to proving 

a 

the sequent ; n > [P ► Q] i- _L. We apply either onef or oneb to the sequent 

(bottom- up), depending on whether a is a free or a bound action. In both cases, 
if the premise of the one/ or oneb is empty, then we are done. Otherwise, there 

exists a substitution 9 such that (Vn.JP ► Qj)9 is derivable in FOX . Since 

a 

the transition judgment is ground, this would mean that Vn.[P ► Q] is derivable, 

a 

and by Proposition 8, the transition P ► Q holds in the 7r-calculus, contradicting 

our assumption. 

Conversely, suppose that ->Vn.[P > Q] is derivable in POA Av . Then P ► Q 

cannot be a transition in the 7r-calculus, for otherwise, we would have h Vn.[P > 

Q] by Proposition 8, and by cut, we would have a proof of _!_, which is impossible. □ 

B. ADEQUACY OF THE SPECIFICATIONS OF BISIMULATIONS 

We need some auxiliary lemmas that concern the structures of cut free proofs. The 
next three lemmas can be proved by simple permutations of inference rules. 
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Lemma 36. Let II be a cut-free derivation of ■ ; V *- C, where C contains a non- 
equality atomic formula and every judgment in V is in one of the following forms: 

h > VxVy.x = y V x ^ y n\> My. a = i/V a ^ y n > a = o V a ^ b 

n > a = a V a a n > a = a n>a^ 6 

/or some n and distinct names a, 6 in n. Then there exists a derivation of the 
sequent which ends with a right-introduction rule on C. 

Lemma 37. The deflZ rule, applied to lbisim P Q, for any P and Q, is invert- 
ible. 

Lemma 38. The defTZ rule, applied to ebisim P Q, for any P and Q, is invert- 
ible. 

B.l Adequacy of the specification of late bisimulation 

In the following, we use the notation x\ 7^ x<i ^ ■ ■ ■ ^ x n -\ ^ x n to abbreviate the 
conjunction 

f\{xi ^ Xj I i,j e {l,...,n},i^ j}. 

With a slight abuse of notation, we shall write X D B, where X is a finite set of 
formula {B\, . . . , B n } , to mean B\ A • • • A B n D B, and we shall write Vy.X to 
mean the formula Vy.Bi A • • • A Vy.i?2- 

Lemma 39. Let P and Q be two late-bisimilar finite 71 -processes and let n\, . . . , rik 
be the free names in P and Q. Then for some finite set X C £, we have 

h Vni • • • \fnk-(X A «i ^ ti2 ^ ■ ■ ■ ^ nj; D lbisim P Q). (3) 

Proof. We construct a proof of formula (3) by induction on the size of P and Q, 
i.e., the number of action prefixes in P and Q. It can be easily shown that the number 
of prefixes in a process is reduced by transitions, for finite processes. By applying 
the introduction rules for V, D and unfolding the definition of lbisim (bottom up) 
to the formula (3), we get the following three sequents: 

(1) m, ■ ■ ■ ,n k , A,P' ; X, m ^ 

(2) m,---,n k ,x, P'\ x, m ^ 

(3) ni, - ■ ■ ,n k ,X, P' ; X, m ^ 

and their symmetric counterparts (obtained by exchanging the role of P and Q). The 
set X is left unspecified above, since it will be constructed by induction hypothesis 
(in the base case, where both P and Q are deadlocked processes, define X to be 
the empty set). We show here how to construct proofs for these three sequents; 
their symmetric counterparts can be proved similarly. In all these three cases, we 
apply either the one/ rule (for sequent 1) or the oneb rule (for sequent 2 and 3). If 
this application of one/ (or oneb) results in two distinct name- variables, say ni and 
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n2, to be identified, then the sequent is proved by using the assumption n\ 7^ «2- 
Therefore the only interesting cases are when the name- variables n\,---,n k are 
instantiated to distinct name- variables, say, mi, • • • , m k . In the following we assume 
that the substitution in the premises of one / or one& are non-trivial, meaning that 
they do not violate the assumption on name- distinct ion above. 

Sequent 1. In this case, after applying the one/ rule bottom up and discharging 
the trivial premises, we need to prove, for each 9 associated with the rule, the 
sequent 

A9 

mi, • • • , TO fe , E ; X, mi ^ • • • ^ m k 3Q'.Q6> ► Q' A Ibisim (P'6) Q' 

for some signature E. We give a top-down construction of a derivation of this sequent 
as follows. By Lemma 34, we know that 

Ae 

h mi, • • ■ ,TO fe , E ; . i- P0 ► P'9. 

Since mi, . . . , m k are the only free names in P9, we can show by induction on proofs 
that S in the sequent is redundant and can be removed, thus 

Ae 

h mi, • • • , m k ; . t- Pff ► P 9. 

Ae 

By the adequacy of one-step transition (Proposition 8), we have P9 > P'9. 

Notice that P is a renaming of P9, since mi, ... , m k are pairwise distinct. We recall 
that both one-step transitions and (late) bisimulation are closed under injective 
renaming (see, e.g., [Milner et al. 1992]). Therefore, there exist a and R such that 

a 

P ► R, where a and R are obtained from A9 and P'6, respectively, under the same 

a 

injective renaming. Since P and Q are bisimilar, there exists T such that Q ► T, 

hence, by injective renaming and the adequacy result for one-step transitions, the 

Ad 

sequent mi, • • • , m k ; . i- Q9 > T9 is provable. It remains to show that 

h mi, • • • , m k ; X, m x ^ • • • ^ m k i- Ibisim (P'9) (TO) 

By induction hypothesis (note that the size of (R, T) is smaller than (P, Q)), we have 

h Vzi • • • Vxj.X' A x\ ^ ■ ■ ■ ^ Xj D Ibisim R T 

where {xi, . . . ,xj} is a subset of {n\, . . . ,n k }. We can weaken the formula with 
extra variables and assumptions to get 

h Vni • • • \fn k .X' A «i ^ • • • ^ rii D Ibisim R T. 

Now since the Vi? and D R rules are invertible, this means 

h m, . . . , rik ; X' , n\ ^ • • • ^ n k *- Ibisim R T. 

Now define X to be X' and apply a renaming substitution which maps each n\ to 
mi, we get a derivation of 

mi, . . . ,m k ; X ,mi ^ ■ ■ ■ ^ m k *- Ibisim (P'6) (T0). 

Since provability is closed under weakening of signature, we have 

h mi, . . . , m k , E ; X ,m\ ^ ■ ■ ■ ^ m k *- Ibisim (P'9) (iff), 
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and together with provability of mi, ... , m k ; . i- Q6 ► T#, we get 

Ad 

h mi, • • • , m k , X,mi ^ ■ ■ ■ ^ m k i- Q8 ► 16 A lbisim (P'6) 10. 

Finally, applying an 3R to this sequent, we get 

h mi, • • • ,TO fe , E ; X, mi ^ • • • ^ m fe •- 3Q'.Q# > Q' A lbisim (P'0) Q'. 

Sequent 2.. In this case, we need to prove the sequent 

1 xe 

(*) mi,---,m fe ,E; AT, mi ± ■■■ ^m k >- BQ'.Qtf Q' AM w. lbisim {{P'6)w) (Q'w) 

for each non-trivial in the premises of one?, rule. By the same reasoning as in 

x(w) 

the previous case, we obtain, for every transition P0 ► R, where R = (P'O) w, 

x(w) 

another transition Q8 ► T such that for all name z R[z/w] T[z/w\. It is enough 

to consider k+1 cases for z, i.e., those in which z is one of mi, ... , m k and another 
where z is a new name, say m k +i. By induction hypothesis, we have, for each 
i E {1, . . . , k}, a provable formula F t 

Vmi • • ■\/m k .X 1 Ami ^ •■• ^ m k D lbisim (R[m,i/w]) (l[mi/w\) 

and a provable formula F k+ \: 

Vmi • • ■Vmfc+i.A'fe+i Ami ^ ■■■ ^ m k+ i D lbisim (R[m k+ i/w]) (7[m k+ i / w]) . 

Let X be the set {VzVy.x = y Vi ^ y} U {Xi \ i 6 {1, . . . , k+1}}. Then the sequent 
(*) is proved, in a bottom-up fashion, by instantiating Q' to Xw.1, followed by an 
AT^-rule, resulting in the sequents: 

A6 

mi, ... , m k , E ; X, mi ^ • • • ^ m k ' Q0 ► Xw.T and 

mi, ... , m k , E ; X, m\ ^ • • • ^ mfe »- Vw. lbisim R T 

The first sequent is provable following the adequacy of one-step transition. For the 
second sequent, we apply the Vi?-rulc to get the sequent 

mi, . . . ,mfe,TO fe+ i,E; X,mi =/=■■■=/= m k i- lbisim (R[m k +i/w]) (T[m k+ i / w]) . 

We then do a case analysis on the name mfe+i, using the assumption VxVy.x = 
y V x ^ y in X. Let Rfe + i = R[m k+ \/w\ and let Tfe + i = T[m k +i/w]. We consider k 
instantiations, each instantiation compares mfe + i with rrii, for i g {1, . . . , k}. Wc 
thus get the following sequents: 

(51) E' ; A, mi = m fe+ i •- lbisim R k+ i T k+ i 

(5 2 ) E' ; A, mi 7^ m k+ i,m 2 = m k+ i ■- lbisim R k+ i Tfe+i 

(Sfc) E' ; A,mi / mfe+i, . . . , mfe_i ^ m fe+ i , m k = m k+1 *- lbisim R fe+ i T fe+ i 
(Sfe+i) E',m fe+ i ; A, mi ^ m 2 , • • • , m fe _i ^ m k ,m k ^ m k+ i >- lbisim R k+ i T fe+ i 

Here E' denotes the set {mi, . . . , mfe + i} U E and A denotes the set {X, mi ^ • • ■ ^ 
mfe}. Provability of these sequents follow from provability of F\, . . . , F k+ \. 
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Sequent 3. In this case, we need to prove the sequent 

(**) mi ) - ) m ik ,S;^mif"?4m l H 3 ®'- Q6 > Q A 

Vw.lbisim ((P'e)w) {Q'w) 

for each non-trivial in the premises of one^ rule. As in the previous case, we 

x(w) x{w) 

obtain R and T such that P# ► R and Qd ► T where Aw.R = P'0. We assume, 

without loss of generality, that w is fresh. By the induction hypothesis, R ~/ T and 

h Vmi • • • Vm k Vw.X' Ami/-'^m t /icD Ibisim R T. 

Now apply Proposition 3 to replace Vw with Vro, 

h Vmi • • • Vm k Vw.X' A mi ^ • • • ^ m fe ^ to D Ibisim R T. 

And since V distributes over all propositional connectives, we also have 

h Vmi • • ■Vmfe.(VwA' / ) A Vw.(mi ^ • • • ^ m fe ) A Vw(m ^ to) D Vw.lbisim R T. 

Let = VwA". Now, since the right-introduction rules for V, V and D are all 
invertible, we have that the sequent 

(i) mi, . . . , m k ; X, Vw.(mi 7^ • • • =/= m k ), Vw(m 7^ w) 1- Vw.lbisim R T 

is provable. It can be easily checked that the following sequents are provable: 

Vw.mj 7^ 77JJ 1- rrii 7^ m^, for any i and j. 

1- Vw.rrii 7^ to, for any i (since to is in the scope of m,). 

By applying the cut rules to these sequents and sequent (i) above, we obtain 

(ii) mi, ... , mfc ; X, mi 7^ • • • 7^ mfe 1- Vw. Ibisim R T, 

Provability of sequent (**) then follows from provability of sequent (ii) above and 
the adequacy of the one-step transition (i.e., by instantiating Q' with Xw.1). □ 

The following lemma shows that Ibisim is symmetric. Its proof is straightforward 
by induction on derivations. 

Lemma 40. Let P and Q be two it -processes and let fi be the list of all free names 
in P and Q. If h X D Vn. Ibisim P Q ; for some X C £ , then h X D VS. Ibisim Q P. 

B.2 Proof for Theorem 15 (adequacy of late bisimulation specification) 

Soundness. We define a set S as 

S = {(P, Q) |h X D Vn Ibisim P Q, where fn(P, Q) C {n} and X C f £} 

and show that S is a bisimulation, i.e., it is symmetric and closed with respect 
to the conditions 1, 2 and 3 in Definition 11. The symmetry of S follows from 
Lemma 40. 

Suppose that (P, Q) £ S, that is, h X D Vn Ibisim P Q for some X. Since 
def7?. on Ibisim is invertible (Lemma 37), and since ATZ, D TZ, VP. and VP are 
also invertible, there is a proof of the formula that ends with applications of these 
invertible rules. From this and the definition of Ibisim, we can infer that provability 
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of X D Vn lbisim P Q implies provability of six other sequents, three of which are 
given in the following (the other three are symmetric counterparts of these): 

An An 

(a) P',A; X,n>P ► (P'n) >- n>3Q'.Q > Q' A lbisim (P'n) Q' 

l(Xn) l(Xn) 

(b) M,X; X,n>P >■ (Mn) • n>3N.Q >■ N A Vy. lbisim (Mny) (Ny) 

t(xn) HXn) 

(c) M,X; X,n>P >■ (Mn) >- nt>3N.Q N A Vy. lbisim (Mny) (Ny) 

By examing the structure of proofs of these three sequents, we show that S is 
closed under all possible transitions from P and Q. We examine the three cases in 
Definition 11: 

a a 

(1) Suppose P ► P' for some free action a. Since P ► P', by the adequacy 

a 

result for one-step transitions, we have that n > P ► P is derivable. Let p = 

[Xn.a/A, An.P' /P']. Applying p to the derivation of sequent (a), we get 

\--;X,n>P P' i- n > 3Q'.Q Q' A lbisim p' Q' . 

a 

By a cut between n > P > P' and this sequent, we obtain a derivation of 

■ ; X i- n > 3Q'.Q Q' A lbisim P' Q'. 

By Lemma 36, we know that there exists a derivation of this sequent which ends 

with a right-rule, hence, there exists a process Q' such that h • ; X i- n > Q ► Q' 

and h ■ ; A 1 i- n> lbisim P' Q'. It is easy to show that A" plays no part in the proof of 
the first sequent, so it can be removed from the sequent. Hence by the adequacy of 

a 

one-step transitions, we have Q > Q'. Provability of the second sequent implies 

that (P', Q') is in the set S. Thus S is indeed closed under the a-transition. 

a (y) 

(2) Suppose that P ► P'. Applying a similar argument as in the previous case 

to sequent (b) with substitution p — [Xn.a/X, XhXy.P' /M], we obtain a provable 
sequent 

la 

■;Xt-n> 3N.Q N A Vy. lbisim P' (Ny). 

Again, as in the previous case, using Lemma 36, we can show that Q ► Q for 

some process Q' such that h ■ ; X t- n>Vj/ .lbisim P' Q' . This implies that 

(i) X D VnVy. lbisim P' Q', 

(ii) X D Vn. lbisim (P'[w/y]) (Q'[w/y]), where w € {n}, 
(Hi) (Vy.X) D VyVfi.lbisim P' Q' 

are all provable. The formula (ii) is obtained from (i) by instantiating y with one 
of n. The formula (Hi) is obtained from (i) as follows: Since 

VxVy.Pxy DVyVx.Pxy and (A D Vy.B) D (Vy.(A D B)), 

where y is not free in A, are theorems of FOA AV , we can enlarge the scope of 
y in (i) to the outermost level: hence, we have that Vy(X D Vn. lbisim P' Q') is 
provable. Now apply Proposition 3 to turn Vy into Vy, then distribute the Vy over 
the implication D and conjunction A, and we have (Hi). 
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It remains to show that for every name w, the pair (P'[w/y],Q'[w/y]) is in S. There 
are two cases to consider: The case where w is among n follows straightforwardly 
from (u), the other case, where w is a new name, follows from (in). 

a (y) 

(3) Suppose P ► P'. Using the same argument as in the previous case, we can 

a (y) 

show that there exists a process Q such that Q ► Q and such that 

h • ; X i- n > Vy.lbisim P' Q'. 
The latter entails that (P', Q') G S, as required. □ 
B.3 Completeness 

We are given P ~j Q and we need to show that h X D \7n. Ibisim P Q, where X Cf £ 
and n = {n\, . . . ,n k } includes all the free names in P and Q. From Lemma 39 we 
have that 

h Vni • • • Vn k {X' A ni ^ ■ ■ ■ ^ fi t D Ibisim P Q) 

for some X' Cf £. By Proposition 3, we can turn all the V into V, hence 

h Vni • • • Vn k {X' Ani^'-'^iifcD Ibisim P Q). 

Since V distributes over all propositional connectives, we have 

h (Vn.A") A Vn.(ni ^ • • • ^ n fc ) D Vn.lbisim P Q. 

Now, Vn.ni 7^ • • • 7^ is a theorem of FOA AV (since any two distinct V-quantificd 
names are not equal), therefore by modus ponens we have 

h Vn.X' D Vn.lbisim P Q. 

Let X = Vn.X' , then we have X D Vn. Ibisim P Q as required. □ 

B.4 Adequacy of the specification of early bisimulation 

The proof for the adequacy of the specification of early bisimulation follows a similar 
outline as that of late bisimulation. The proof is rather tedious and is not enlight- 
ening. We therefore omit the proof and refer interested readers to the electronic 
appendix of the paper for more details. 

B.5 Adequacy of the specification of open bisimulation 

Proof of Lemma 18: The proof proceeds by induction on the length of the quantifier 
prefix Qx. At each stage of the induction, we construct a quantifier prefix Qy such 
that Qx.P D Qy.PO and D9 corresponds to the Qy-distinction. In the base case, 
where the quantifier prefix Qx is empty, the quantifier Qy is also the empty prefix. 
In this case we have PO = P, therefore P D P9 holds trivially. There are the 
following two inductive cases. 

(1) Suppose Qx.P = Q'uVz.P. Let D' be the distinction that corresponds to Q'u. 
Note that by definition, we have D = D' U {(z,v),(x,v) | v £ D'}. Let 6' be 
the substitution 6 with domain restricted to {u}. Since 9 respects D, obviously 9' 
respects D' and 9(z) ^ 9(v) for all v G D'. By induction hypothesis, we have a 
proof of the formula Qu(Vz.P) D Qrh(\7z.P)9' for some quantifier prefix Qrh such 
that D'9' is the Qm-distinction. Note that since z is not in the domain of 9', we 
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have (Vz.P)O' = Vz.(PO'). Let w = 9(z). Since w is distinct from all other free 
names in D'0', we can rename z with w, thus, 

b QuVz.P D QfhVw.P(0' o [w/z]) 

But 0' o [w/z] is exactly 0. Let Qy be the prefix QfhVw. It then follows that 

b Qz.P D Qy.P6>. 

Moreover, DO can be easily shown to be the Qy-distinction. 

(2) Suppose Qx. — Quiz. P. Note that in this case, the Qi-distinction and Q'u- 
distinction co-incide, i.e., both are the same distinction D. Moreover, z £ fv(D). 
Let 0' be the substitution restricted to the domain {u}. By induction hypothesis, 
we have that b Qu(Vz.P) D Qfh(\/z.P)6' , for some quantifier prefix Qm such that 
Qto corresponds to D#'. Note that = Z)6>, because z £ fv(D). There are two 
cases to consider when constructing Qy. The first case is when z is identified, by 
0, with some name in {u}. In this case, by the property of universal quantification, 
we have that b QuVz.P D Qfh.PO. In this case, we let = Qfh. Note that £)0' 
is the same as DO in this case. Therefore DO is the Qy-distinction. For the second 
case, we have that z is instantiated by to a new name, say w. Then following the 
same argument as the case with V, we have that b QuVz.P D QmVw.PO. In this 
case, we let Qy = QrhVw. Note that in this case the Qy-distinction also coincides 
with Qm-distinction, i.e., both are the same set DO. □ 

In the proof of soundness of open bisimulation to follow, we make use of a property 
of the structure of proofs of certain sequents. The following three lemmas state some 
meta- level properties of FOX AV . Their proofs are easy and are omited. 

Lemma 41. Suppose the sequent S ; A i- C is provable, where C is an existential 
judgment and A is a set of inequality between distinct terms, i.e., every element of 
A is of the form ht> s ^ t, for some n, s and t. Then there exists a proof of the 
sequent ending with 31Z applied to C. 

Lemma 42. For any positive formula context C[], b C\Vx.B] D C[B[t/x]]. 

Lemma 43. Let Qx be a quantifier prefix. If Qx.P and Qx.P D Q are provable 
then Qx.Q is provable. 

Lemma 44. Let D be a conjunction of inequalities between terms. If\- Qx.D D 
Vy.P, where y is not free in D, then b QxVy.D D P. 

The following lemma is a simple corollary of Proposition 8 and Proposition 4. 

a _ a _ 

Lemma 45. P ► Q if and only if Qn.\P > Q] is provable, where Qn is a 

quantifier prefix and n are the free names of P. 

To prove soundness of open bisimulation specification, we define a family of sets 
S in the following, and show that it is indeed an open bisimulation. 

S D = {(P, Q) | h Qh.[D'\ D lbisim P Q and fn(P, Q, D') = {n} and 
D = D'UD", where D" is the Qn-distinction. } 

Suppose (P,Q) e S D . That is, b Qh.[D'] D lbisim P Q. Let D" be the distinction 
that corresponds to the prefix Qn. We have to show that for every name substi- 
tution which respects D, the set S is closed under conditions 1, 2, and 3 in 
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Definition 14. Since respects D, it also respects D" (since D" is a subset of D). 
Therefore, it follows from Lemma 18 that there exists a prefix Qx such that D"9 is 
the Qx-distinction, and h Qx.[D'9] D lbisim (P0) (Q0). By the invertibility of def TZ 
on lbisim and the right-introduction rules for V, V, z> and A, we can infer that 
provability of the above formula implies provability of six other formulas, three of 
which are given in the following (the other three are symmetric variants of these 
formulas): 

(a) Qx.[D'0] D \/P'VA.P9 P' D 3Q'.Q0 Q' A lbisim P' Q' 

(b) Qx.[D'0] D VMVX.P0 — ^ M D 3N.Q0 N A Vw. lbisim (Mw) (Nw) 

(c) g.T.[L>'6>] D VMVX.P0 — ^ M D 37V.Q6» A/ A Ww.lbisim (Mw) (Nw) 

Using provability of these formulas, we show that S is closed under free actions, 
bound input actions and bound output actions. 

a 

— Suppose P8 ► R where a is a free action. By Lemma 45, we have that 

h Qx.P6 R. (4) 
From formula (a) and Lemma 42, we have that 

h Qx.[D'0] D P0 R D 3Q'.Q0 Q' A lbisim R Q'. (5) 
Applying Lemma 43 to formula (4) and (5) above, we have that 

h Qx.[D'0] D 3Q'.Q0 Q' A Jbisim R Q'. 

The latter implies, by the invertibility of the right rules for V and V, provability 
of the sequent 

S ; D 1 i- to > BQ'.Q' Q' A Jbisim R' Q' 

where E are the eigenvariables corresponding to the universally quantified vari- 
ables in Qx (with appropriate raising) and to corresponds to the V-quantificd 
variables in the same prefix. The terms Q', R', D\ and a' are obtained from, 
respectively, Q0, R, [D'9] and a by replacing their free names with their raised 
counterparts. Note that since respects D' , the inequality in D\ are those that 
relate distinct terms, hence, by Lemma 41, provability of the above sequent im- 

plies the existence of a term T such that hS; Di •- m > Q > T and 

h E ; Di i- to > Jbisim R' T' . (6) 

It can be shown by induction on the height of derivations that D\ in the first 
sequent can be removed, hence we have that 

h E; . i- m>Q' T'. 
Applying the appropriate introduction rules to this sequent (top down), we "un- 

a 

raise" the variables in E and obtain h Qx.Q9 > T, where T corresponds to T . 

a 

By Lemma 45, this means that Q9 ► T. It remains to show that (R, Q) £ S. 
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This is obtained from the sequent (6) above as follows. We apply the introduction 
rules for quantifiers and implication (top down) to sequent (6), hence unraising 
the variables in S and obtain the provable formula Qx.[D'9] D lbisim R T, from 
which it follows that (R, T) e Sdb- 

a(y) 

— Suppose P9 ► R. As in the previous case, using Lemma 45, Lemma 42, 

Lemma 43 and formula (b) we can show that 

h Qx.[D'0] D 3Q'.Q9 — ^ N A Vw.lbisim (R[w/y]) (Ny). 

la 

From this formula, we can show that there exists T such that Qx.Q9 Xz.T, 

a(z) 

therefore Q9 > T, and that 

h Qx.[D'9] D Vw.lbisim (R[w/y]) (T[w/z]). (7) 

We need to show that for a fresh name w, (R[w / y\,l[w / z\) £ Sue- From prov- 
ability of formula (7), and the fact that (A D Vx.B) D \/x(A D B), we obtain 

h QxNw.[D'9] D lbisim (R[w/y]) (l[w/z\). 

Since the QxVw-distinction is the same as Qx-distinction, the overal distinc- 
tion encoded in the above formula is D9, therefore, by definition of <S, we have 
{R[w/y],T[w/z]) eS D9 . 

a(y) 

— Suppose P9 > R. This case is similar to the bound input case. Applying the 

a(z) 

same arguments shows that there exists a process T such that Q9 > T and 

h Qx.[D'9] D Vw.lbisim {R[w/y]) {T[w/z]). (8) 

We have to show that, for a fresh w, (R[w/y], T[w/z]) € Sd 2 where Di = D9 U 
{w} x tn(D6,P0, Q9). Note that the free names of DO, P9 and Q9 are all in x by 
definition. From formula (8) and Lemma 44, we have that 

h QxVw.[D'9] D lbisim {R[w/y]) {T[w/z]). 

Notice that the QxVw-distinction is D"0 U {w} x {x}, and since x is the free 
names of D9, P9 and Q9, the overall distinction encoded by the above formula is 
exactly Z?2, hence (R[w/y],T[w/z]) £ Sd 2 as required. □ 

The proof of Theorem 21 is analogous to the completeness proof for Theorem 15. 
Suppose P and Q are open D-bisimilar. We construct a derivation of the formula 

Vni • • • Vn fc ([L>] Z> lbisim P Q) (9) 

by induction on the number of action prefixes in P and Q. By applying the intro- 
duction rules for V, D and unfolding the definition of lbisim (bottom up) to the 
formula (9), we get the following sequents: 

(1) n 1 ,---,n k ,A,P'; [D],P P' >- 3Q'.Q Q' A lbisim P' Q' 

(2) n 1 ,---,n k ,X,P'; [D],P P' >- 3Q'.Q Q> A Vw.lbisim (P'w) (Q'w) 

(3) m, • • • ,n k ,X, P' ; [D],P P' ■ BQ'.Q Q' A Vw. lbisim (P'w) (Q'w) 

ACM Journal Name, Vol. V, No. N, 20YY. 



Proof Search Specifications of the 7r-calculus • 47 



and their symmetric counterparts. We show here how to construct proofs for these 
three sequents; the rest can be proved similarly. In all these three cases, we apply 
either the one/ rule (for sequent 1) or the oneb rule (for sequent 2 and 3). If 
this application of one/ (or oneb) results in two distinct name- variables, say ni 
and ri2, in I? to be identified, then the sequent is proved by using the assumption 
ni =/= Ti2 in I?. Therefore the only interesting cases are when the instantiations of 
name- variables n\, • • • , n& respect the distinction D. In the following we assume the 
names m, . . . , n/j are instantiated to mi, . . . , mi and the distinction D is respected. 
Note that I may be smaller than fc, depending on D, i.e., it may allow some names 
to be identified. 

Sequent 1. In this case, after applying the one/ rule bottom up and discharging 
the trivial premises (i.e., those that violates the distinction D), we need to prove, 
for each 6 associated with the rule, the sequent 

AO 

mi, • • • , mi, E ; [DO] ■- 3Q'.Q6 ► Q 1 A lbisim (P'6) Q' (10) 

A9 

for some signature E. By Lemma 34, we know that mi, • ■ • , mj, E ; . i- Pd ► 

P'6 is provable. Since mi,...,roj are the only free names in Pd, we can show by 
induction on proofs that E in the sequent is redundant and can be removed, thus 

Ad 

the sequent mi, • • • , m; ; . »- P# ► P'6 is also provable. By the adequacy of 

a 

one-step transition (Proposition 8) and Proposition 4, we have Pd ► R for some 

free action a and R where a = A6 and P'6 = R. Let 6' be 6 with domain restricted 
to {ni, . . . ,n.fc}. Obviously, 6*' respects D and = D6. Since P and Q are open 

JJ-bisimilar, we have that there exists T such that Q6 ► T and R T, hence 

by induction hypothesis, we have that 

h Vmj • • • Mmi\D6] D lbisim P'6 T. (11) 

Provability of sequent (10) follows from these facts, by instantiating Q' with T. 
Sequent 2. . In this case, we need to prove the sequent 

1X6 

mi,---,mj,E; [DO] t- 3Q' .Q6 Q' A Vw. lbisim {(P'6)w) (Q'w) (12) 

for each non-trivial 6 in the premises of oneb rule. By the same reasoning as in the 

x(w) 

previous case, we obtain, for every transition P(9 ► R, where R = (P'6) w, another 

transition Q6 ► T such that (we assume w.l.o.g. that w is fresh) R T. The 

lx 

former implies that Q6 > Xw.T is derivable, and the latter implies, by induction 

hypothesis, that 

Vmi • • • Vmi\/w.[D6] D lbisim R T 

is derivable. As in the previous case, from these two facts, we can prove the sequent 
(12) by instantiating Q' with Xw.T. 

Sequent 3. In this case, we need to prove the sequent 

AO 

mi, • • • ,m;,E; [DO] 3Q' .Q6 ► Q' A Vw.lbisim {(P'6)w) (Q'w) (13) 
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for each non-trivial in the premises of one^ rule. As in the previous case, we 

x(w) x(w) 

obtain R and T such that P9 ► R and Q9 > T where Xw.R = P'9. We assume, 

without loss of generality, that w is fresh, therefore since P ~^ Q, by definition we 
have that R ~f T, where D' = D9\J {x} x fn(D9, P9, Q0). Note that the free names 
of D9, ?9 and Q9 are exactly mi, ... , mi, so D' = D9 U {x} x {mi, . . . mi}. Thus 
by induction hypothesis, the formula 

Vtoi • • • \/miVw.[D'] D lbisim R T. 

Now apply Proposition 3 to replace \/w with Vw, 

Vmi • • • Wm k Vw.[D'} D lbisim R T. 

And since V distributes over all propositional connectives, we also have 

Vmi • ■■Vm k .(X7w.{D'}) D Vw.lbisim R T. 

It can be shown that mi, . . .,m; ; . i- Vw.[D'] D [D9] is provable, since the in- 
equalities between w and mi, ... , m k trivially true. Therefore we have that 

h Vmi • • • Vm k .[D6] D Vw. lbisim R T. (14) 

Now in order to prove sequent (13), we instantiate Q' with Xw.T, and the rest of 
the proof proceeds as in the previous case, i.e., with the help of formula (14). □ 

B. 6 "Early" open bisimulation 

The proof of Theorem 23 is by induction on the number of input prefixes in P and 
Q. We prove a more general result: h Qn. lbisim P Q if and only if h Qh.ebisim P Q, 
for any quantifier prefix Qn. By Lemma 37 and Lemma 38, and the invertibility of 
VIZ and \/lZ rules, we know that if h Qn. lbisim P Q and h Qfi.ebisim P Q, then their 
unfolded instances are also provable. We show that one can construct a derivation 
for one instance from the other. The non-trivial case is when the bound input 
transition is involved. That is, given a derivation of 

Qn.[VXVP'.P P' D VwBQ'.Q Q' A ebisim (P'w) Q'w)] 
we can construct a derivation of 

Qn.[\/X\/P'.P P' D BQ'.Q Q' A Vw. ebisim (P'w) (Q'w)} 

and vice versa. Note that we cannot do any analysis on the universally quantified 
name w in both formulas, since we do not have any assumptions on names (e.g., 
the excluded middle on names as in the adequacy theorem for late bisimulation). 
It is then easy to check that the choice of Q' in both cases is independent of the 
name w, and their correspondence follows straightforwardly from the induction 
hypothesis. □ 

C. ADEQUACY OF THE SPECIFICATIONS OF MODAL LOGICS 

The completeness proof of the modal logics specification shares similar structures 
with the completeness proofs for specifications of bisimulation. In particular, we 
use an analog of Lemma 39, given in the following. 
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Lemma 46. Let P be a process and A an assertion such that P |= A. Then 

h Vni • • ■ ~in k .X A m ^ ■ ■ ■ ^ n k D [P |= A] 

for some X Cj £ and some names n\, . . . , n k such that fn(P, A) C {ri l7 . . . , n k }. 

The proof of lemma proceeds by induction on the size of A. The crucial step 
is when its interpretation in FOA AV contains universal quantification over names, 
e.g., when A = [a(j/)]B. In this case, we again use the same technique as in the proof 
of Lemma 39, i.e., using the excluded middle assumptions on names to enumerate 
all possible instances of the judgments. A more detailed proof can be found in the 
electronic appendix of this paper. 

C.l Proof of Theorem 25 (Adequacy of the modal logic encoding) 

First consider proving the soundness part of this theorem. Suppose we have a 
derivation II of • ; X t- Vn.[P |= A]. We want to show that P |= A. This is proved by 
induction on the size of A. The proof also uses the property of invertible rules and 
the fact that applications of the excluded middles in X in deriving the sequent can 
be permuted up over all the right introduction rules. The latter is a consequence 
of Lemma 36. We look at a couple of interesting cases involving bound input and 
bound output. 

x (y) 

out:. Suppose A is [x(y)]B. We need to show that for every P' such that P > P', 

we have P' |= B. (By a-conversion we can assume without loss of generality that 
y is not free in P and A.) Note that here the occurrence of y in P' is bound in 

s(v) 

the transition judgment P ► P . By Lemma 36 and the invertibility of certain 

inference rules, we can show that provability of • ; X t- Vn.[P |= A] implies the 
existence of a derivation n' of 

T x 

M ; X, n > [P] >■ Mn>-n> Vy.Mny \= [B] 

for some eigenvariable M. By the adequacy of one-step transitions, we have that 

T x 

h Vn.[P] ^ Ay.[P']. Let 6 be the substitution [(AnAy.[P'])/M]. Applying 9 to 

T x 

IT we get the derivation TV 6 of • ; n> [P] ^ Ay.[P'] ■- n> Vy.P' |= [B]. By cutting 

this derivation with the one-step transition judgment above, we obtain a derivation 
of • ; . i- nt> Vy.P' |= [B]. Hence by induction hypothesis, we have that P' |= B. 

in:. Suppose A is [x(y)] L B. We show that there exists a process P' such that 

x (y) 

P > P' and for all name w, P'[w/y] \= B[w/y]. It is enough to consider the case 

where w is a name in fn(P, A) and the case where w is a new name not in fn(P, A). By 
Lemma 36 and the invertibility of some inference rules, we can show that provability 
of ■ ; X >- n> [P] |= |[a;(j/)] i B] implies the existence of two derivations IT and n 2 , 

of the sequents • ; X t- n > P ^ N and ■ ; X *- n > Vy.Ny \= [B], respectively, for 

some closed term N. 

By the adequacy result in Proposition 8, there exists a process P' such that 

x (y) 

|P ] = Ny and P ► P'. By Proposition 5, we can instantiate y with any of the 

free names occurring in P or A (since they are all in the list n), and hence for any 
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name w e fn(P,A) by induction hypothesis we get P'[w/y] \= B[w/z}. The case 
where to is a new name is dealt with as follows. Without loss of generality we 
assume that y = w (since we can always choose y to be sufficiently fresh). From 
n 2 it follows that h X D Vn.Vy.jP'] |= [B]. Using the FOX AV theorems 

(VxWy.P) D VyVx.P and (P D Vz.Q) D Vz(P D Q) 

where z is not free in P, we can move the Vy quantification in X D Vn.Vy.JP'] \= [B] 
to the outermost level and get the provable formula "iy{X D Vn.[P'] |= [B]). Wc 
then apply Proposition 3, to turn Vy into Vy, thus obtaining a derivation of Vy (X 2> 
Vn.[P'] h [B]), and by distributing V over D, we get (Vy.X) D VyVn. [P'| |= [B]. 
We can now apply the induction hypothesis to get P' |= B. 

Next we consider proving the completeness part of Theorem 25. Given P |= A, 
we would like to show that • ; X t- Vn.[P |= A] is provable. By Lemma 46, there 
are mi , . . . , m k and X' such that 

h Vmi • • - ~im k .X' Ami ^ m 2 • • • 7^ mfe D [P |= A]. 

Let n = mi, . . . , m k and let X = Vh.X' . By Proposition 3, we have a derivation of 

Vmi • • • Vm k .X' A m x ^ m 2 ■ ■ ■ ^ m k D [P |= A]. 

By distributing the V's over implication and conjunction we obtain 

X A (Vn.TOi ^ m 2 ■ ■ ■ ^ m k ) D Vn.[P |= A]. 

But since Vn.mi ^ m 2 • • • ^ m k is provable, by cut we obtain a derivation of 

; X t- Vn.[P |= A]. □ 

D. CHARACTERISATION OF OPEN BISIMULATION 

Lemma 47. Let P and Q be two processes. If for all A e CM, h (Qn.P \= A) if 
and only if ' h (Qn.Q |= A), where fn(P, Q,A) C {n}, then P ^ Q, where D is the 
Qn- distinction. 

Proof. Let S be the following family of relations 

S D = {(P, Q) | for all A, h (Qn.P |= A) iff h (Qn.Q \= A), 

where fn(P,Q,A) C {n} and D is the Qn-distinction} 

We then show that S is an open bisimulation. S is obviously symmetric, so it 
remains to show that it is closed under one-step transitions. We show here a case 
involving bound output; the rest are treated analogously. 

Suppose (P, Q) e S D . Then we have that for all A, h Qn.P \= A iff h Qn.Q |= A, for 

s (y) 

some prefix Qn. Let be a substitution that respects D. Suppose P6 > P . We 

x{y) f 

need to show that there exists a Q' such that Q9 > Q' and P' ^ Q' where 

D' = D9 U {y} x fn(P, Q,D). (Here we assume w.l.o.g. that y is chosen to be 
sufficiently fresh.) Suppose 9 identifies the following pairs of names in P and Q: 
(a?i, j/i), . . . , {x kl y k ), and suppose that 9{z) = x. Then by the definition of Sd'- 

V- Qn.P |= [xi = y 2 ][x 2 = 2/2] • • • [xk = yk](z(y))B 
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if and only if for all B, 

h Qn.Q |= [xi = D2\\x2 = 2/2] • • • [xu = Uk](z(y))B. 

Note that the statement cannot hold vacuously, since for at least one instance 
of B, i.e., B = true, both judgments must be true. By analysis on the (supposed) 
cut-free proofs of both judgments, for any B, the above statement reduces to 

h Qm.Pe \= (x{y))B6 iff h Qm.Q9 \= (x(y))B6, 

for some prefix Qfh such that Qm-distinction is the result of applying 6 to the 
Qn-distinction. 

x(y) 

Now let {Qi}iei be the set of all Q' such that Q0 ► Q', and suppose that for all 

i € I, P' Q»- That means that there exists an Aj, for each i e I, that separates 
P' and Qi, i.e., h (QmVy.P' |= A») but 1/ (QmVy.Q' |= Aj). Note that we can assume 
w.l.o.g. that in include all the free names of Aj (recall that n is really a schematic 
list of names, dependent on the choice of A in the first place). Let B9 be f\ ieI hi. 
Then, by analysis of cut-free proofs, we can show that h (Qrh.PO \= (x(y))B6) but 
1/ (Qm.Q |= (x(y))B9), which contradicts our initial assumption. Therefore, there 

x(y) f 

must be one Q' such that Q > Q' and P' ~f Q'. □ 

Lemma 48. Let P and Q be two processes such that P ~^ Q for some distinction 
D. Then for all A G £A1 and for all prefix Qfi such that D corresponds to the 
Qn- distinction and fn(P, Q, D) C {n} ; h Qn.P |= A i/ and oniy z/ h- Qn.Q |= A. 

PROOF. Suppose that P Q and h Qn.P |= A. We show, by induction on the 
size of A, that h Qn.Q |= A. The other direction is proved symmetrically, since open 
bisimulation is symmetric. We look at the interesting cases. 

— Suppose A = (x(y))B for some B. By analysis on the cut free derivations of 
Qn.P |= A, it can be shown that 

T x 

h Qn.BM.P M A Vy.(My) \= B. 

This entails that there exists a process P' such that 

T x 

h Qn.P Xy.P' A Vy.P' |= B. 

And by the invertibility of the right-introduction rules for V, V and A, this in turn 

]x 

entails that h Qn.P ^ Ajy.P' and h QnVy.P' |= B. The former implies, by the 

adequacy of one-step transition, that P ► P'. Since P ^ Q, this means that 

x(y) t 

there exists Q' such that Q > Q' and P' ~f Q', where D' = Dl){y} x fn(P, Q,D). 

At this point we are almost ready to apply the induction hypothesis to QnVy.P' |= 
B, except that D' may not corresponds to the QnVy-distinction, since the latter 
may contain more inequal pairs than D'. However, since open bisimulation is 
closed under extensions of distinctions (see Lemma 6.3. in [Sangiorgi 1996]), we 
can assume without loss of generality that D' is indeed the QnVy-distinction. 
Therefore by the adequacy of one-step transition and induction hypothesis, we 
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conclude that h Qn.Q v Xx.Q' and h QnVy.Q' |= B, and from these, it follows 

that Qn.P |= A is also provable. 
— Suppose A = (x(y))B. This case is analogous to the previous case. The only differ- 
ence is that the bound input is universally quantified, instead of V-quantified. So 
we apply the induction hypothesis to QnVy.P' |= B, which can be done without re- 
sorting to extensions of the distinction D, since in this case the QnVy-distinction 
is exactly D. 

— For the cases where A is prefixed by either [x(y)] L or the proof follows a 

similar argument as in the completeness proof of open bisimulation (Theorem 21). 
For instance, for the case where A = [x(y)] L B, from the fact that h Qn.P |= A, it 
follows that 

h Qn.VM(P — ^ M D 3y.(My) \= B). 

As in the proof of Theorem 21, we can further show that there is a derivation 
of this formula that ends with oneb-rule, such that every 9 in this premise is a 
-D-respecting substitution. Since P Q, we can show that every bound input 
action of P6*, for any D-respccting 6, can be imitated by Q8 and vice versa. From 
this and induction hypothesis, we can therefore obtain a derivation of 

Qn.\/N(Q — ^ N D 3y.(Ny) \= B), 

hence h Qn.Q |= A. □ 

Finally, the proof of Theorem 26 now follows immediately from Lemma 47 and 
Lemma 48. □ 
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